Unable to read dns records
RITOps opened this issue ยท 1 comments
๐ Summary
Ran CHIRPv1.06 and get error message about dns records not being read. The scan tool continues through and completes. However, I'm not sure if the network.json file coming back with nothing is a valid result or if the error is impacting the scan results.
When I manually perform the ipconfig /displaydns command, the dns records are displayed.
To reproduce
Download CHIRP.zip, extract to folder, double click chirp.exe
This is on a Windows 2012R2 Server.
Expected behavior
Scan should run, process dns records found and continue with all other scans until successfully completed.
Any helpful log output or screenshots
Error message:
15:29:23 EVENTS Reading Security event logs. scan.py:69
15:29:24 ERROR Unable to read dns records returned by network.py:41
ipconfig /displaydns
NETWORK Read 28 records, found 0 IoC hits. scan.py:56
REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind scan.py:65
ows\CurrentVersion\sibot
REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind registry.py:93
ows\CurrentVersion\sibot does not exist.
REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF scan.py:65
REGISTRY Reading scan.py:65
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options
REGISTRY Found 0 hit(s) for Sibot - Registry indicator. scan.py:47
REGISTRY Found 0 hit(s) for Teardrop - Registry Activity scan.py:47
indicator.
REGISTRY Found 0 hit(s) for IFEO Persistence indicator. scan.py:47
YARA Enumerating the entire filesystem due to run.py:161
['simpleseesharp : Webshell Unclassified',
'reGeorgTunnel : Webshell Commodity', 'sportsball
: Webshell', 'Detection for the use of procdump to
dump LSASS process memory.', 'CISA Solar Fire',
'CISA Teardrop', 'CrowdStrike Rempack',
'CrowdStrike Sunspot', 'FireEye Cosmic Gale',
'FireEye Sunburst']... this is going to take a
while.
15:29:24 EVENTS Reading Application event logs. scan.py:69
15:29:26 YARA Beginning processing. run.py:109
Add any screenshots of the problem here.
This is related to #39, going to close this ticket and continue conversation there.