Collected Evidence Report

Executive Summary

Project Summary

Name:	Test1
Started:	2010-06-02 01:42:19 UTC
Completed:	2010-06-02 02:49:27 UTC
Users:	admin

This report contains the results of a security audit performed by Metasploit Express from Rapid7 LLC. It contains confidential information about the state of your network. Access to this information by unauthorized personnel may allow them to compromise your network.

During this test, 3 hosts with a total of 10 exposed services were discovered. Of these, 1 were compromised and 6 passwords were obtained. The most common module used to compromise systems among 75 unique modules was exploit/windows/smb/ms08_067_netapi (1 sessions). From the compromised systems, 4 data files were obtained, including 1 screenshot.

Evidence Report Summary

The purpose of this report is to display evidence which was collected from open sessions during the penetration test.

Collected Evidence Summary
Address	Evidence Type	Content Type	Size	Name	Information
192.168.56.101	host.windows.processes	text/plain	3012	processes.txt	Process Listing
192.168.56.101	host.windows.pwdump	text/plain	504
192.168.56.101	host.windows.screenshot	image/jpeg	25721	screenshot.jpg	Windows Desktop Screenshot
192.168.56.101	host.windows.sysinfo	text/plain	219	sysinfo.txt	System Information

Collected Evidence

2010-06-02 02:44:23 UTC	192.168.56.101 - asdf-b9ca10e6b9	host.windows.sysinfo	sysinfo.txt (219 bytes)	System Information	Download
Text:	Session: 192.168.56.101:1088 Username: NT AUTHORITY\SYSTEM Desktop: Session 0\WinSta0\Default Computer: ASDF-B9CA10E6B9 OS: Windows XP (Build 2600, Service Pack 2). x86 en_US Process: 1016 IdleTime: 11 seconds
2010-06-02 02:44:24 UTC	192.168.56.101 - asdf-b9ca10e6b9	host.windows.processes	processes.txt (3012 bytes)	Process Listing	Download
Text:	Process list ============ PID Name Arch Session User Path --- ---- ---- ------- ---- ---- 0 [System Process] 4 System x86 0 NT AUTHORITY\SYSTEM 536 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 600 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 624 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 668 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 680 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 832 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe 852 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 920 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe 1016 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1088 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe 1184 avgchsvx.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\AVG\AVG9\avgchsvx.exe 1192 avgrsx.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\AVG\AVG9\avgrsx.exe 1220 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe 1340 avgcsrvx.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\AVG\AVG9\avgcsrvx.exe 1624 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1832 avgwdsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\AVG\AVG9\avgwdsvc.exe 416 avgemc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\AVG\AVG9\avgemc.exe 552 avgnsx.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\AVG\AVG9\avgnsx.exe 120 avgcsrvx.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\AVG\AVG9\avgcsrvx.exe 1712 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe 2124 wscntfy.exe x86 0 ASDF-B9CA10E6B9\test C:\WINDOWS\system32\wscntfy.exe 2156 explorer.exe x86 0 ASDF-B9CA10E6B9\test C:\WINDOWS\Explorer.EXE 2308 avgtray.exe x86 0 ASDF-B9CA10E6B9\test C:\PROGRA~1\AVG\AVG9\avgtray.exe 2324 VBoxTray.exe x86 0 ASDF-B9CA10E6B9\test C:\WINDOWS\system32\VBoxTray.exe 2836 wuauclt.exe x86 0 ASDF-B9CA10E6B9\test C:\WINDOWS\system32\wuauclt.exe 3620 logonui.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\logonui.exe
2010-06-02 02:44:36 UTC	192.168.56.101 - asdf-b9ca10e6b9	host.windows.pwdump	(504 bytes)		Download
Text:	Administrator:500:e52cac67xxxxxxxxxxxxxxxxxxxxxxxx65:5835048xxxxxxxxxxxxxxxxxxxxxx3510ef::: Guest:501:aad3b435b51xxxxxxxxxxxxxxxxxxxx04ee:31d6cfexxxxxxxxxxxxxxxxxxxxx9d7e0c089c0::: HelpAssistant:1000:2c54a6dxxxxxxxxxxxxxxxf0140d6bd1cf:b72cxxxxxxxxxxxxxxxce9c49f463::: SUPPORT_388945a0:1002:aad3b43xxxxxxxxxxxxxxxx51404ee:4cfe43d2cxxxxxxxxxxxxxx1f83283d7::: test:1003:aad3xxxxxxxxxxxxxxxxxxxxx435b51404ee:31d6cfxxxxxxxxxxxxxxxxxxxxc089c0::: admin:1004:e52cxxxa9a224a3b108xxxxxb6d:8846f7exxxxxxxxxxxxxxxdd830b7586c:::
2010-06-02 02:44:37 UTC	192.168.56.101 - asdf-b9ca10e6b9	host.windows.screenshot	screenshot.jpg (25721 bytes)	Windows Desktop Screenshot	Download
Bytes:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 10 0b 0c 0e 0c 0a 10
Image: