## Phishing and Social-Engineering related scripts, tools and CheatSheets - [**`decode-spam-headers.py`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/phishing/decode-spam-headers) - This tool accepts on input an `*.EML` or `*.txt` file with all the SMTP headers. It will then extract a subset of interesting headers and using **79+** tests will attempt to decode them as much as possible. This script also extracts all IPv4 addresses and domain names and performs full DNS resolution of them. Resulting output will contain useful information on why this e-mail might have been blocked. Processed headers (more than **67+** headers are parsed): - `X-forefront-antispam-report` - `X-exchange-antispam` - `X-exchange-antispam-mailbox-delivery` - `X-exchange-antispam-message-info` - `X-microsoft-antispam-report-cfa-test` - `Received-spf` - `X-mailer` - `X-originating-ip` - `User-agent` - `X-forefront-antispam-report` - `X-microsoft-antispam-mailbox-delivery` - `X-microsoft-antispam` - `X-exchange-antispam-report-cfa-test` - `X-spam-status` - `X-spam-level` - `X-spam-flag` - `X-spam-report` - `X-vr-spamcause` - `X-ovh-spam-reason` - `X-vr-spamscore` - `X-virus-scanned` - `X-spam-checker-version` - `X-ironport-av` - `X-ironport-anti-spam-filtered` - `X-ironport-anti-spam-result` - `X-mimecast-spam-score` - `Spamdiagnosticmetadata` - `X-ms-exchange-atpmessageproperties` - `X-ms-exchange-transport-endtoendlatency` - `X-ms-oob-tlc-oobclassifiers` - `X-ip-spam-verdict` - `X-amp-result` - `X-ironport-remoteip` - `X-ironport-reputation` - `X-sbrs` - `X-ironport-sendergroup` - `X-policy` - `X-ironport-mailflowpolicy` - `X-remote-ip` - `X-sea-spam` - `X-fireeye` - `X-antiabuse` - `X-tmase-version` - `X-tm-as-product-ver` - `X-tm-as-result` - `X-imss-scan-details` - `X-tm-as-user-approved-sender` - `X-tm-as-user-blocked-sender` - `X-tmase-result` - `X-tmase-snap-result` - `X-imss-dkim-white-list` - `X-tm-as-result-xfilter` - `X-tm-as-smtp` - `X-scanned-by` - `X-mimecast-spam-signature` - `X-mimecast-bulk-signature` - `X-forefront-antispam-report-untrusted` - `X-microsoft-antispam-untrusted` - `X-sophos-senderhistory` - `X-sophos-rescan` - and more... Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them. - **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c)) - **`gophish-send-mail`** - This script will connect to your GoPhish instance, adjust HTML template and will send a quick test e-mail wherever you told it to, in attempt to let you quickly test out your HTML code. - **`MacroDetectSandbox.vbs`** - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d)) - **`Macro-Less-Cheatsheet.md`** - Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet ([gist](https://gist.github.com/mgeeky/981213b4c73093706fc2446deaa5f0c5)) - **`macro-psh-stdin-author.vbs`** - VBS Social Engineering Macro with Powershell invocation taking arguments from Author property and feeding them to StdIn. ([gist](https://gist.github.com/mgeeky/50c4b7fa22d930a80247fea62755fbd3)) - **`Phish-Creds.ps1`** - Powershell oneline Credentials Phisher - to be used in malicious Word Macros/VBA/HTA or other RCE commands on seized machine. ([gist](https://gist.github.com/mgeeky/a404d7f23c85954650d686bb3f02abaf)) One can additionally add, right after `Get-Credential` following parameters that could improve pretext's quality during social engineering attempt: - `-Credential domain\username` - when we know our victim's domain and/or username - we can supply this info to the dialog - `-Message "Some luring sentence"` - to include some luring message - [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML