mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-12-22 09:05:06 +01:00
Added phishing directory.
This commit is contained in:
parent
522a826ecb
commit
e104ba2539
21
.gitmodules
vendored
21
.gitmodules
vendored
@ -1,32 +1,23 @@
|
||||
[submodule "web/tomcatWarDeployer"]
|
||||
path = web/tomcatWarDeployer
|
||||
url = https://github.com/mgeeky/tomcatWarDeployer.git
|
||||
[submodule "social-engineering/VisualBasicObfuscator"]
|
||||
path = social-engineering/VisualBasicObfuscator
|
||||
url = https://github.com/mgeeky/VisualBasicObfuscator.git
|
||||
[submodule "social-engineering/RobustPentestMacro"]
|
||||
path = social-engineering/RobustPentestMacro
|
||||
url = https://github.com/mgeeky/RobustPentestMacro.git
|
||||
[submodule "web/burpContextAwareFuzzer"]
|
||||
path = web/burpContextAwareFuzzer
|
||||
url = https://github.com/mgeeky/burpContextAwareFuzzer.git
|
||||
[submodule "web/dirbuster"]
|
||||
path = web/dirbuster
|
||||
url = https://github.com/mgeeky/dirbuster.git
|
||||
[submodule "social-engineering/PhishingPost"]
|
||||
path = social-engineering/PhishingPost
|
||||
url = https://github.com/mgeeky/PhishingPost.git
|
||||
[submodule "web/arachni-launching-script"]
|
||||
path = web/arachni-launching-script
|
||||
url = https://github.com/mgeeky/arachni-launching-script.git
|
||||
[submodule "red-teaming/RobustPentestMacro"]
|
||||
path = red-teaming/RobustPentestMacro
|
||||
[submodule "phishing/RobustPentestMacro"]
|
||||
path = phishing/RobustPentestMacro
|
||||
url = https://github.com/mgeeky/RobustPentestMacro
|
||||
[submodule "red-teaming/VisualBasicObfuscator"]
|
||||
path = red-teaming/VisualBasicObfuscator
|
||||
[submodule "phishing/VisualBasicObfuscator"]
|
||||
path = phishing/VisualBasicObfuscator
|
||||
url = https://github.com/mgeeky/VisualBasicObfuscator.git
|
||||
[submodule "red-teaming/PhishingPost"]
|
||||
path = red-teaming/PhishingPost
|
||||
[submodule "phishing/PhishingPost"]
|
||||
path = phishing/PhishingPost
|
||||
url = https://github.com/mgeeky/PhishingPost.git
|
||||
[submodule "web/proxy2"]
|
||||
path = web/proxy2
|
||||
|
297
phishing/README.md
Normal file
297
phishing/README.md
Normal file
@ -0,0 +1,297 @@
|
||||
## Phishing and Social-Engineering related scripts, tools and CheatSheets
|
||||
|
||||
|
||||
- **`decode-spam-headers.py`** - This tool accepts on input an `*.EML` or `*.txt` file with all the SMTP headers. It will then extract a subset of interesting headers and will attempt to parse them.
|
||||
|
||||
This script also extracts all IPv4 addresses and domain names and performs full DNS resolution of them.
|
||||
|
||||
Resulting output will contain useful information on why this e-mail might have been blocked.
|
||||
|
||||
Processed headers:
|
||||
|
||||
- `Authentication-Results`
|
||||
- `From`
|
||||
- `Received-SPF`
|
||||
- `Received`
|
||||
- `To`
|
||||
- `X-Forefront-Antispam-Report`
|
||||
- `X-Mailer`
|
||||
- `X-Microsoft-Antispam-Mailbox-Delivery`
|
||||
- `X-Microsoft-Antispam-Message-Info`
|
||||
- `X-Microsoft-Antispam`
|
||||
- `X-MS-Exchange-Transport-EndToEndLatency`
|
||||
- `X-MS-Oob-TLC-OOBClassifiers`
|
||||
- `X-MS-Exchange-AtpMessageProperties`
|
||||
- `X-Exchange-Antispam-Report-CFA-Test`
|
||||
- `X-Microsoft-Antispam-Report-CFA-Test`
|
||||
- `X-MS-Exchange-AtpMessageProperties`
|
||||
- `X-Spam-Status`
|
||||
- `X-Spam-Level`
|
||||
- `X-Spam-Flag`
|
||||
- `X-Spam-Report`
|
||||
- and more...
|
||||
|
||||
Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them.
|
||||
|
||||
Sample run:
|
||||
|
||||
```
|
||||
PS> py decode-spam-headers.py headers.txt
|
||||
|
||||
------------------------------------------
|
||||
(1) Test: Received - Mail Servers Flow
|
||||
|
||||
HEADER:
|
||||
Received
|
||||
|
||||
VALUE:
|
||||
...
|
||||
|
||||
ANALYSIS:
|
||||
- List of server hops used to deliver message:
|
||||
|
||||
--> (1) "attacker" <attacker@attacker.com>
|
||||
|
||||
|_> (2) ec2-11-22-33-44.eu-west-3.compute.amazonaws.com. (11.22.33.44)
|
||||
time: 01 Jan 2021 12:34:18
|
||||
|
||||
|_> (3) mail-wr1-f51.google.com (209.85.221.51)
|
||||
time: 01 Jan 2021 12:34:20
|
||||
version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9
|
||||
|
||||
|_> (4) SN1NAM02FT0061.eop-nam02.prod.protection.outlook.com (2603:10b6:806:131:cafe::e5)
|
||||
time: 01 Jan 2021 12:34:20
|
||||
version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9
|
||||
|
||||
|_> (5) SA0PR11CA0138.namprd11.prod.outlook.com (2603:10b6:806:131::23)
|
||||
time: 01 Jan 2021 12:34:20
|
||||
version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9
|
||||
|
||||
|_> (6) CP2PR80MB4114.lamprd80.prod.outlook.com (2603:10d6:102:3c::15)
|
||||
time: 01 Jan 2021 12:34:23
|
||||
|
||||
|_> (7) "Victim Surname" <victim@contoso.com>
|
||||
|
||||
|
||||
|
||||
------------------------------------------
|
||||
|
||||
[...]
|
||||
|
||||
------------------------------------------
|
||||
(4) Test: Mail Client Version
|
||||
|
||||
HEADER:
|
||||
X-Mailer
|
||||
|
||||
VALUE:
|
||||
OEM
|
||||
|
||||
ANALYSIS:
|
||||
- X-Mailer header was present and contained value: "OEM".
|
||||
|
||||
|
||||
------------------------------------------
|
||||
(5) Test: X-Forefront-Antispam-Report
|
||||
|
||||
HEADER:
|
||||
X-Forefront-Antispam-Report
|
||||
|
||||
VALUE:
|
||||
CIP:209.85.221.51;CTRY:US;LANG:de;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail-wr1-f51.google.com;PTR:mail-wr1
|
||||
-f51.google.com;CAT:SPM;SFS:(4636009)(6916009)(1096003)(6666004)(4744005)(19625305002)(58800400
|
||||
005)(166002)(336012)(356005)(55446002)(5660300002)(956004)(121216002)(7596003)(7636003)(9686003
|
||||
)(86362001)(224303003)(26005)(35100500006)(43540500002);DIR:INB;
|
||||
|
||||
ANALYSIS:
|
||||
- CIP: Connecting IP address: 209.85.221.51
|
||||
|
||||
- CTRY: The source country as determined by the connecting IP address
|
||||
- US
|
||||
|
||||
- LANG: The language in which the message was written
|
||||
- de
|
||||
|
||||
- IPV: Ingress Peer Verification status
|
||||
- NLI: The IP address was not found on any IP reputation list.
|
||||
|
||||
- SFV: Message Filtering
|
||||
- SPM: The message was marked as spam by spam filtering.
|
||||
|
||||
- H: The HELO or EHLO string of the connecting email server.
|
||||
- mail-wr1-f51.google.com
|
||||
|
||||
- PTR: Reverse DNS of the Connecting IP peer's address
|
||||
- mail-wr1-f51.google.com
|
||||
|
||||
- CAT: The category of protection policy
|
||||
- SPM: Spam
|
||||
|
||||
- DIR: Direction of email verification
|
||||
- INB: Inbound email verification
|
||||
|
||||
- Message matched 23 Anti-Spam rules:
|
||||
- (1096003)
|
||||
- (121216002)
|
||||
- (166002)
|
||||
- (19625305002)
|
||||
- (224303003)
|
||||
- (26005)
|
||||
- (336012)
|
||||
- (35100500006) - (SPAM) Message contained embedded image.
|
||||
- (356005)
|
||||
- (43540500002)
|
||||
- (4636009)
|
||||
- (4744005)
|
||||
- (55446002)
|
||||
- (5660300002)
|
||||
- (58800400005)
|
||||
- (6666004)
|
||||
- (6916009)
|
||||
- (7596003)
|
||||
- (7636003)
|
||||
- (86362001)
|
||||
- (956004)
|
||||
- (9686003)
|
||||
|
||||
- SCL: Spam Confidence Level: 5
|
||||
- SPAM: Spam filtering marked the message as Spam
|
||||
|
||||
|
||||
More information:
|
||||
- https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers
|
||||
- https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps
|
||||
- https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels
|
||||
- https://docs.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/run-a-message-trace-and-view-results
|
||||
|
||||
|
||||
------------------------------------------
|
||||
(6) Test: X-Microsoft-Antispam-Mailbox-Delivery
|
||||
|
||||
HEADER:
|
||||
X-Microsoft-Antispam-Mailbox-Delivery
|
||||
|
||||
VALUE:
|
||||
ucf:0;jmr:1;auth:0;dest:J;ENG:(910001)(944506458)(944626604)(750132)(520011016);
|
||||
|
||||
ANALYSIS:
|
||||
- This header denotes what to do with received message, where to put it.
|
||||
|
||||
- auth: Message originating from Authenticated sender
|
||||
- 0: Not Authenticated
|
||||
|
||||
- dest: Destination where message should be placed
|
||||
- J: JUNK directory
|
||||
|
||||
- Message matched 6 Anti-Spam Delivery rules:
|
||||
- (520011016)
|
||||
- (750132)
|
||||
- (910001)
|
||||
- (944506458)
|
||||
- (944626604)
|
||||
|
||||
|
||||
------------------------------------------
|
||||
(7) Test: X-Microsoft-Antispam Bulk Mail
|
||||
|
||||
HEADER:
|
||||
X-Microsoft-Antispam
|
||||
VALUE:
|
||||
BCL:0;
|
||||
|
||||
ANALYSIS:
|
||||
- BCL: BULK Confidence Level: 0
|
||||
The message isn't from a bulk sender.
|
||||
|
||||
More information:
|
||||
- https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values
|
||||
|
||||
------------------------------------------
|
||||
|
||||
[...]
|
||||
|
||||
------------------------------------------
|
||||
(10) Test: MS Defender ATP Message Properties
|
||||
|
||||
HEADER:
|
||||
X-MS-Exchange-AtpMessageProperties
|
||||
|
||||
VALUE:
|
||||
SA|SL
|
||||
|
||||
ANALYSIS:
|
||||
- MS Defender Advanced Threat Protection enabled following protections on this message:
|
||||
- Safe Attachments Protection
|
||||
- Safe Links Protection
|
||||
|
||||
|
||||
------------------------------------------
|
||||
(11) Test: Domain Impersonation
|
||||
|
||||
HEADER:
|
||||
From
|
||||
|
||||
VALUE:
|
||||
"attacker" <attacker@attacker.com>
|
||||
|
||||
ANALYSIS:
|
||||
- Mail From: <attacker@attacker.com>
|
||||
|
||||
- Mail Domain: attacker.com
|
||||
--> resolves to: 11.22.33.44
|
||||
--> reverse-DNS resolves to: ec2-11-22-33-44.eu-west-3.compute.amazonaws.com
|
||||
(sender's domain: amazonaws.com)
|
||||
|
||||
- First Hop: SMTP-SERVICE (44.55.66.77)
|
||||
--> resolves to:
|
||||
--> reverse-DNS resolves to: host44-55-66-77.static.arubacloud.pl
|
||||
(first hop's domain: arubacloud.pl)
|
||||
|
||||
- Domain SPF: "v=spf1 include:_spf.google.com ~all"
|
||||
|
||||
- WARNING! Potential Domain Impersonation!
|
||||
- Mail's domain should resolve to: amazonaws.com
|
||||
- But instead first hop resolved to: arubacloud.pl
|
||||
```
|
||||
|
||||
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
|
||||
|
||||
- **`gophish-send-mail`** - This script will connect to your GoPhish instance, adjust HTML template and will send a quick test e-mail wherever you told it to, in attempt to let you quickly test out your HTML code.
|
||||
|
||||
- **`MacroDetectSandbox.vbs`** - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))
|
||||
|
||||
- **`Macro-Less-Cheatsheet.md`** - Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet ([gist](https://gist.github.com/mgeeky/981213b4c73093706fc2446deaa5f0c5))
|
||||
|
||||
- **`macro-psh-stdin-author.vbs`** - VBS Social Engineering Macro with Powershell invocation taking arguments from Author property and feeding them to StdIn. ([gist](https://gist.github.com/mgeeky/50c4b7fa22d930a80247fea62755fbd3))
|
||||
|
||||
- **`Phish-Creds.ps1`** - Powershell oneline Credentials Phisher - to be used in malicious Word Macros/VBA/HTA or other RCE commands on seized machine. ([gist](https://gist.github.com/mgeeky/a404d7f23c85954650d686bb3f02abaf))
|
||||
|
||||
One can additionally add, right after `Get-Credential` following parameters that could improve pretext's quality during social engineering attempt:
|
||||
- `-Credential domain\username` - when we know our victim's domain and/or username - we can supply this info to the dialog
|
||||
- `-Message "Some luring sentence"` - to include some luring message
|
||||
|
||||
- [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter.
|
||||
|
||||
- **`phishing-HTML-linter.py`** - This script will help you identify issues with your HTML code that you wish to use as your Phishing template.
|
||||
|
||||
It looks for things such as:
|
||||
|
||||
- Embedded images
|
||||
- Images with lacking `ALT=""` attribute
|
||||
- Anchors trying to masquerade links
|
||||
|
||||
Such characteristics are known bad smells that will let your e-mail blocked.
|
||||
|
||||
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
|
||||
|
||||
- **`warnings\EN-Word.docx`** and **`warnings\EN-Excel.docx`** - Set of ready-to-use Microsoft Office Word shapes that can be pasted / inserted into malicious documents for enticing user into clicking "Enable Editing" and "Enable Content" buttons.
|
||||
|
||||
- **`WMIPersistence.vbs`** - Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up. ([gist](https://gist.github.com/mgeeky/d00ba855d2af73fd8d7446df0f64c25a))
|
||||
|
||||
- **`Various-Macro-Based-RCEs.md`** - Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))
|
||||
|
||||
- **`vba-macro-mac-persistence.vbs`** - (WIP) Working on VBA-based MacPersistance functionality for MS Office for Mac Macros. ([gist](https://gist.github.com/mgeeky/dd184e7f50dfab5ac97b4855f23952bc))
|
||||
|
||||
- **`vba-windows-persistence.vbs`** - VBA Script implementing two windows persistence methods - via WMI EventFilter object and via simple Registry Run. ([gist](https://gist.github.com/mgeeky/07ffbd9dbb64c80afe05fb45a0f66f81))
|
||||
|
||||
- [**`VisualBasicObfuscator`**](https://github.com/mgeeky/VisualBasicObfuscator) - Visual Basic Code universal Obfuscator intended to be used during penetration testing assignments.
|
1958
phishing/decode-spam-headers.py
Normal file
1958
phishing/decode-spam-headers.py
Normal file
File diff suppressed because it is too large
Load Diff
56
phishing/gophish-send-mail/README.md
Normal file
56
phishing/gophish-send-mail/README.md
Normal file
@ -0,0 +1,56 @@
|
||||
## `gophish-send-mail.py`
|
||||
|
||||
This script will connect to your GoPhish instance, adjust HTML template and will send a quick test e-mail wherever you told it to, in attempt to let you quickly test out your HTML code.
|
||||
|
||||
1. Firstly you need to come up with YAML configuration file:
|
||||
|
||||
|
||||
These are required parameters:
|
||||
```
|
||||
gophish_addr: https://127.0.0.1:3100
|
||||
token: 1b07b71b0ba50...API_KEY...efe720a1ab79
|
||||
|
||||
file: test.html
|
||||
template_name: existing-template-name
|
||||
|
||||
sender: sender@attacker.com
|
||||
recipient: recipient@contoso.com
|
||||
```
|
||||
|
||||
These are optional parameters:
|
||||
|
||||
- `subject`
|
||||
- `first_name`
|
||||
- `last_name`
|
||||
- `position`
|
||||
- `url`
|
||||
- `dont_restore`
|
||||
|
||||
2. Then prepare your HTML file with message you want to send.
|
||||
|
||||
3. And run it.
|
||||
|
||||
Sample run:
|
||||
|
||||
```
|
||||
PS > py .\gophish-send-mail.py .\send-mail-with-gophish.yaml
|
||||
|
||||
:: GoPhish Single Mail Send utility
|
||||
Helping you embellish your emails by sending them one-by-one
|
||||
Mariusz B. / mgeeky
|
||||
|
||||
[+] Template to use:
|
||||
ID: 22
|
||||
Name: test-template-1
|
||||
Subject: Click Here To Win
|
||||
|
||||
[.] Updating it...
|
||||
[+] Template updated.
|
||||
[.] Sending e-mail via Campaign -> Send Test Email...
|
||||
From: sender@attacker.com
|
||||
To: recipient@contoso.com
|
||||
|
||||
[+] Email Sent
|
||||
[.] Restoring template...
|
||||
[+] Finished.
|
||||
```
|
@ -0,0 +1,8 @@
|
||||
gophish_addr: https://127.0.0.1:3100
|
||||
token: 1b07b71b0ba50...API_KEY...efe720a1ab79
|
||||
|
||||
file: test.html
|
||||
template_name: existing-template-name
|
||||
|
||||
sender: sender@attacker.com
|
||||
recipient: recipient@contoso.com
|
202
phishing/gophish-send-mail/gophish-send-mail.py
Normal file
202
phishing/gophish-send-mail/gophish-send-mail.py
Normal file
@ -0,0 +1,202 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
import os, sys, re
|
||||
import string
|
||||
import argparse
|
||||
import yaml
|
||||
import json
|
||||
import requests
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
options = {
|
||||
'gophish_addr': '',
|
||||
'token' : '',
|
||||
'file' : '',
|
||||
'template_name' : '',
|
||||
'subject': '',
|
||||
'first_name': '',
|
||||
'last_name': '',
|
||||
'position': '',
|
||||
'sender': '',
|
||||
'recipient': '',
|
||||
'url' : '',
|
||||
'dont_restore' : False
|
||||
}
|
||||
|
||||
headers = {
|
||||
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36',
|
||||
'Authorization': '',
|
||||
}
|
||||
|
||||
def get(url):
|
||||
r = requests.get(
|
||||
f"{options['gophish_addr']}" + url,
|
||||
headers = headers,
|
||||
verify = False
|
||||
)
|
||||
|
||||
if r.status_code != 200:
|
||||
print(f'[!] URL: {url} returned status code: {r.status_code}!')
|
||||
print(r.json())
|
||||
sys.exit(1)
|
||||
|
||||
return r.json()
|
||||
|
||||
def put(url, data):
|
||||
r = requests.put(
|
||||
f"{options['gophish_addr']}" + url,
|
||||
headers = headers,
|
||||
json = data,
|
||||
verify = False
|
||||
)
|
||||
|
||||
if r.status_code != 200:
|
||||
print(f'[!] URL: {url} returned status code: {r.status_code}!')
|
||||
print(r.json())
|
||||
sys.exit(1)
|
||||
|
||||
return r.json()
|
||||
|
||||
def post(url, data):
|
||||
r = requests.post(
|
||||
f"{options['gophish_addr']}" + url,
|
||||
headers = headers,
|
||||
json = data,
|
||||
verify = False
|
||||
)
|
||||
|
||||
if r.status_code != 200:
|
||||
print(f'[!] URL: {url} returned status code: {r.status_code}!')
|
||||
print(r.json())
|
||||
sys.exit(1)
|
||||
|
||||
return r.json()
|
||||
|
||||
def getTemplate():
|
||||
out = get("/api/templates/?{}")
|
||||
|
||||
for obj in out:
|
||||
if obj['name'] == options['template_name']:
|
||||
return obj
|
||||
|
||||
print(f'[!] Could not find template named: "{options["template_name"]}"!')
|
||||
sys.exit(1)
|
||||
|
||||
def updateTemplate(template, html):
|
||||
obj = {}
|
||||
obj.update(template)
|
||||
obj['html'] = html
|
||||
|
||||
if len(options['subject']) > 0:
|
||||
obj['subject'] = options['subject']
|
||||
|
||||
out = put(f'/api/templates/{template["id"]}', obj)
|
||||
|
||||
def sendEmail():
|
||||
obj = {
|
||||
"template":{
|
||||
"name": options['template_name']
|
||||
},
|
||||
|
||||
"first_name": options['first_name'],
|
||||
"last_name": options['last_name'],
|
||||
"email": options['recipient'],
|
||||
"position": options['position'],
|
||||
"url":options['url'],
|
||||
"page": {
|
||||
"name": ""
|
||||
},
|
||||
"smtp": {
|
||||
"name": options['sender']
|
||||
}
|
||||
}
|
||||
|
||||
out = post('/api/util/send_test_email', obj)
|
||||
|
||||
if out['success']:
|
||||
print('[+] ' + out['message'])
|
||||
else:
|
||||
print('[!] ' + out['message'])
|
||||
|
||||
def opts(argv):
|
||||
global options
|
||||
global headers
|
||||
|
||||
o = argparse.ArgumentParser(
|
||||
usage = 'gophish-send-mail.py [options] <config.yaml>'
|
||||
)
|
||||
|
||||
req = o.add_argument_group('Required arguments')
|
||||
req.add_argument('config', help = 'YAML config file')
|
||||
|
||||
args = o.parse_args()
|
||||
|
||||
op = None
|
||||
with open(args.config, encoding='utf-8') as f:
|
||||
op = yaml.safe_load(f)
|
||||
|
||||
for k in (
|
||||
'gophish_addr',
|
||||
'token',
|
||||
'file',
|
||||
'template_name',
|
||||
'recipient',
|
||||
'sender'
|
||||
):
|
||||
if k not in op.keys():
|
||||
print(f'[!] {k} not specified!')
|
||||
sys.exit(1)
|
||||
|
||||
if op['gophish_addr'][-1] == '/':
|
||||
op['gophish_addr'] = op['gophish_addr'][:-1]
|
||||
|
||||
headers['Authorization'] = f'Bearer {op["token"]}'
|
||||
|
||||
options.update(op)
|
||||
return op
|
||||
|
||||
def main(argv):
|
||||
args = opts(argv)
|
||||
if not args:
|
||||
return False
|
||||
|
||||
print('''
|
||||
:: GoPhish Single Mail Send utility
|
||||
Helping you embellish your emails by sending them one-by-one
|
||||
Mariusz B. / mgeeky
|
||||
''')
|
||||
|
||||
template = getTemplate()
|
||||
|
||||
print(f'''[+] Template to use:
|
||||
ID: {template["id"]}
|
||||
Name: {template["name"]}
|
||||
Subject: {template["subject"]}
|
||||
''')
|
||||
|
||||
print(f'[.] Updating it with file "{options["file"]}"...')
|
||||
|
||||
html = ''
|
||||
with open(options['file'], 'rb') as f:
|
||||
html = f.read()
|
||||
|
||||
updateTemplate(template, html.decode())
|
||||
|
||||
print('[+] Template updated.')
|
||||
|
||||
print(f'''[.] Sending e-mail via Campaign -> Send Test Email...
|
||||
From: {options['sender']}
|
||||
Recipient: {options['recipient']}
|
||||
''')
|
||||
sendEmail()
|
||||
|
||||
if not options['dont_restore']:
|
||||
print('[.] Restoring template...')
|
||||
updateTemplate(template, template['html'])
|
||||
|
||||
print('[+] Finished.')
|
||||
|
||||
if __name__ == '__main__':
|
||||
main(sys.argv)
|
222
phishing/phishing-HTML-linter.py
Normal file
222
phishing/phishing-HTML-linter.py
Normal file
@ -0,0 +1,222 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
import os, sys, re
|
||||
import string
|
||||
import argparse
|
||||
import yaml
|
||||
import json
|
||||
|
||||
from bs4 import BeautifulSoup
|
||||
|
||||
options = {
|
||||
'format' : 'text',
|
||||
}
|
||||
|
||||
class PhishingMailParser:
|
||||
def __init__(self, options):
|
||||
self.options = options
|
||||
self.results = {}
|
||||
|
||||
def parse(self, html):
|
||||
self.html = html
|
||||
self.soup = BeautifulSoup(html, features="lxml")
|
||||
|
||||
self.results['Embedded Images'] = self.testEmbeddedImages()
|
||||
self.results['Images without ALT'] = self.testImagesNoAlt()
|
||||
self.results['Masqueraded Links'] = self.testMaskedLinks()
|
||||
|
||||
return {k: v for k, v in self.results.items() if v}
|
||||
|
||||
@staticmethod
|
||||
def context(tag):
|
||||
s = str(tag)
|
||||
|
||||
if len(s) < 100:
|
||||
return s
|
||||
|
||||
beg = s[:50]
|
||||
end = s[-50:]
|
||||
|
||||
return f'{beg}...{end}'
|
||||
|
||||
def testMaskedLinks(self):
|
||||
links = self.soup('a')
|
||||
|
||||
desc = 'Links that masquerade their href= attribute by displaying different link are considered harmful and will increase Spam score.'
|
||||
context = ''
|
||||
result = ''
|
||||
num = 0
|
||||
embed = ''
|
||||
|
||||
for link in links:
|
||||
try:
|
||||
href = link['href']
|
||||
except:
|
||||
continue
|
||||
|
||||
text = link.getText()
|
||||
|
||||
url = re.compile(r'((http|https)\:\/\/)?[a-zA-Z0-9\.\/\?\:@\-_=#]+\.([a-zA-Z]){2,6}([a-zA-Z0-9\.\&\/\?\:@\-_=#])*')
|
||||
|
||||
m1 = url.match(href)
|
||||
m2 = url.match(text)
|
||||
|
||||
if m1 and m2:
|
||||
num += 1
|
||||
context += '- ' + PhishingMailParser.context(link) + '\n'
|
||||
context += f'\thref = "{href[:64]}"\n'
|
||||
context += f'\ttext = "{text[:64]}"\n\n'
|
||||
|
||||
if num > 0:
|
||||
result += f'- Found {num} <a> tags that masquerade their href="" links with text!\n'
|
||||
result += '\t Links that try to hide underyling URL are harmful and will be considered as Spam!\n'
|
||||
|
||||
if len(result) == 0:
|
||||
return []
|
||||
|
||||
return {
|
||||
'description' : desc,
|
||||
'context' : context,
|
||||
'analysis' : result
|
||||
}
|
||||
|
||||
def testImagesNoAlt(self):
|
||||
images = self.soup('img')
|
||||
|
||||
desc = 'Images without ALT="value" attribute may increase Spam scorage.'
|
||||
context = ''
|
||||
result = ''
|
||||
num = 0
|
||||
embed = ''
|
||||
|
||||
for img in images:
|
||||
src = img['src']
|
||||
alt = ''
|
||||
|
||||
try:
|
||||
alt = img['alt']
|
||||
except:
|
||||
pass
|
||||
|
||||
if alt == '':
|
||||
num += 1
|
||||
context += '- ' + PhishingMailParser.context(img) + '\n'
|
||||
|
||||
if num > 0:
|
||||
result += f'- Found {num} <img> tags without ALT="value" attribute.\n'
|
||||
result += '\t Images without alternate text set in their attribute may increase Spam score\n'
|
||||
|
||||
if len(result) == 0:
|
||||
return []
|
||||
|
||||
return {
|
||||
'description' : desc,
|
||||
'context' : context,
|
||||
'analysis' : result
|
||||
}
|
||||
|
||||
def testEmbeddedImages(self):
|
||||
images = self.soup('img')
|
||||
|
||||
desc = 'Embedded images can increase Spam Confidence Level (SCL) in Office365 by 4 points. Embedded images are those with <img src="data:image/png;base64,<BLOB>"/> . They should be avoided.'
|
||||
context = ''
|
||||
result = ''
|
||||
num = 0
|
||||
embed = ''
|
||||
|
||||
for img in images:
|
||||
src = img['src']
|
||||
alt = ''
|
||||
|
||||
try:
|
||||
alt = img['alt']
|
||||
except:
|
||||
pass
|
||||
|
||||
if src.lower().startswith('data:image/'):
|
||||
if len(embed) == 0:
|
||||
embed = src[:30]
|
||||
|
||||
num += 1
|
||||
if len(alt) > 0:
|
||||
context += f'- ALT="{alt}": ' + PhishingMailParser.context(img) + '\n'
|
||||
else:
|
||||
context += '- ' + PhishingMailParser.context(img) + '\n'
|
||||
|
||||
if num > 0:
|
||||
result += f'- Found {num} <img> tags with embedded image ({embed}).\n'
|
||||
result += '\t Embedded images increase Office365 SCL (Spam) level by 4 points!\n'
|
||||
|
||||
if len(result) == 0:
|
||||
return []
|
||||
|
||||
return {
|
||||
'description' : desc,
|
||||
'context' : context,
|
||||
'analysis' : result
|
||||
}
|
||||
|
||||
|
||||
def printOutput(out):
|
||||
if options['format'] == 'text':
|
||||
width = 100
|
||||
num = 0
|
||||
|
||||
for k, v in out.items():
|
||||
num += 1
|
||||
analysis = v['analysis']
|
||||
context = v['context']
|
||||
|
||||
analysis = analysis.replace('- ', '\t- ')
|
||||
|
||||
print(f'''
|
||||
------------------------------------------
|
||||
({num}) Test: {k}
|
||||
|
||||
CONTEXT:
|
||||
{context}
|
||||
|
||||
ANALYSIS:
|
||||
{analysis}
|
||||
''')
|
||||
|
||||
elif options['format'] == 'json':
|
||||
print(json.dumps(out))
|
||||
|
||||
def opts(argv):
|
||||
global options
|
||||
global headers
|
||||
|
||||
o = argparse.ArgumentParser(
|
||||
usage = 'phishing-HTML-linter.py [options] <file.html>'
|
||||
)
|
||||
|
||||
req = o.add_argument_group('Required arguments')
|
||||
req.add_argument('file', help = 'Input HTML file')
|
||||
|
||||
args = o.parse_args()
|
||||
return args
|
||||
|
||||
def main(argv):
|
||||
args = opts(argv)
|
||||
if not args:
|
||||
return False
|
||||
|
||||
print('''
|
||||
:: Phishing HTML Linter
|
||||
Shows you bad smells in your HTML code that will get your mails busted!
|
||||
Mariusz B. / mgeeky
|
||||
''')
|
||||
|
||||
html = ''
|
||||
with open(args.file, 'rb') as f:
|
||||
html = f.read()
|
||||
|
||||
p = PhishingMailParser({})
|
||||
ret = p.parse(html.decode())
|
||||
|
||||
printOutput(ret)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main(sys.argv)
|
@ -72,8 +72,6 @@ IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Com
|
||||
|
||||
- **`Create-Lnk.ps1`** - Uttertly simple script to create LNK files. Handy when one needs to create some dodgy shortcuts acting as yet another stage in code execution step.
|
||||
|
||||
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
|
||||
|
||||
- **`Disable-Amsi.ps1`** - Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.
|
||||
|
||||
Using a hash-lookup approach when determining prohibited symbol names, we are able to avoid relying on blacklisted values and having them hardcoded within the script. This implementation iterates over all of the assemblies, their exposed types, methods and fields in order to find those that are required but by their computed hash-value rather than direct name. Since hash-value computation algorithm was open-sources and is simple to manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes.
|
||||
@ -289,12 +287,6 @@ PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
|
||||
|
||||
- **`Invoke-Command-Cred-Example.ps1`** - Example of using PSRemoting with credentials passed directly from command line. ([gist](https://gist.github.com/mgeeky/de4ecf952ddce774d241b85cfbf97faf))
|
||||
|
||||
- **`MacroDetectSandbox.vbs`** - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))
|
||||
|
||||
- **`Macro-Less-Cheatsheet.md`** - Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet ([gist](https://gist.github.com/mgeeky/981213b4c73093706fc2446deaa5f0c5))
|
||||
|
||||
- **`macro-psh-stdin-author.vbs`** - VBS Social Engineering Macro with Powershell invocation taking arguments from Author property and feeding them to StdIn. ([gist](https://gist.github.com/mgeeky/50c4b7fa22d930a80247fea62755fbd3))
|
||||
|
||||
- **`markOwnedNodesInNeo4j.py`** - This script takes an input file containing Node names to be marked in Neo4j database as owned = True. The strategy for working with neo4j and Bloodhound becomes fruitful during complex Active Directory Security Review assessments or Red Teams. Imagine you've kerberoasted a number of accounts, access set of workstations or even cracked userPassword hashes. Using this script you can quickly instruct Neo4j to mark that principals as owned, which will enrich your future use of BloodHound.
|
||||
|
||||
```bash
|
||||
@ -318,21 +310,10 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt
|
||||
|
||||
- **`muti-stage-1.md`** - Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process. ([gist](https://gist.github.com/mgeeky/6097ea56e0f541aa7d98161e2aa76dfb))
|
||||
|
||||
- **`Phish-Creds.ps1`** - Powershell oneline Credentials Phisher - to be used in malicious Word Macros/VBA/HTA or other RCE commands on seized machine. ([gist](https://gist.github.com/mgeeky/a404d7f23c85954650d686bb3f02abaf))
|
||||
|
||||
One can additionally add, right after `Get-Credential` following parameters that could improve pretext's quality during social engineering attempt:
|
||||
- `-Credential domain\username` - when we know our victim's domain and/or username - we can supply this info to the dialog
|
||||
- `-Message "Some luring sentence"` - to include some luring message
|
||||
|
||||
- [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter.
|
||||
|
||||
- [**`RedWarden`**](https://github.com/mgeeky/RedWarden) - A Cobalt Strike C2 Reverse proxy fending off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation.
|
||||
|
||||
- [**`rogue-dot-net`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/rogue-dot-net) - Set of scripts, requirements and instructions for generating .NET Assemblies valid for **Regasm**/**Regsvcs**/**InstallUtil** code execution primitives.
|
||||
|
||||
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
|
||||
|
||||
|
||||
- **`Save-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. It differs from `Export-ReconData.ps1` in that it supports only older PowerView version from before 12 dec 2016.
|
||||
Exposed functions:
|
||||
- `Save-ReconData` - Launches many cmdlets and exports their Clixml outputs.
|
||||
@ -446,14 +427,3 @@ mimikatz(powershell) # ;
|
||||
|
||||
- **`SubstitutePageMacro.vbs`** - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ). ([gist](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6))
|
||||
|
||||
- **`warnings\EN-Word.docx`** and **`warnings\EN-Excel.docx`** - Set of ready-to-use Microsoft Office Word shapes that can be pasted / inserted into malicious documents for enticing user into clicking "Enable Editing" and "Enable Content" buttons.
|
||||
|
||||
- **`WMIPersistence.vbs`** - Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up. ([gist](https://gist.github.com/mgeeky/d00ba855d2af73fd8d7446df0f64c25a))
|
||||
|
||||
- **`Various-Macro-Based-RCEs.md`** - Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))
|
||||
|
||||
- **`vba-macro-mac-persistence.vbs`** - (WIP) Working on VBA-based MacPersistance functionality for MS Office for Mac Macros. ([gist](https://gist.github.com/mgeeky/dd184e7f50dfab5ac97b4855f23952bc))
|
||||
|
||||
- **`vba-windows-persistence.vbs`** - VBA Script implementing two windows persistence methods - via WMI EventFilter object and via simple Registry Run. ([gist](https://gist.github.com/mgeeky/07ffbd9dbb64c80afe05fb45a0f66f81))
|
||||
|
||||
- [**`VisualBasicObfuscator`**](https://github.com/mgeeky/VisualBasicObfuscator) - Visual Basic Code universal Obfuscator intended to be used during penetration testing assignments.
|
||||
|
Loading…
Reference in New Issue
Block a user