mgeeky-Penetration-Testing-Tools

History

Mariusz B. / mgeeky 0a0733a146 Updated decode-spam-headers		2023-06-27 21:16:18 +02:00
..
CustomXMLPart@1cdb552746	Added CustomXMLPart	2022-08-10 02:35:53 +02:00
PhishingPost@32c7667841	updates	2021-10-24 23:31:06 +02:00
RobustPentestMacro@e2f17afdcb	updates	2021-10-24 23:31:06 +02:00
VisualBasicObfuscator@3bb3de9035	updated submodules	2022-05-05 14:23:50 +02:00
decode-spam-headers@0489be1e7d	Updated decode-spam-headers	2023-06-27 21:16:18 +02:00
gophish-send-mail	updates	2021-10-24 23:11:42 +02:00
warnings	Added German-based lures.	2021-10-17 15:34:07 +02:00
DancingRightToLeft.py	fix	2022-02-06 22:56:54 +01:00
Macro-Less-Cheatsheet.md	Added phishing directory.	2021-10-17 15:22:05 +02:00
MacroDetectSandbox.vbs	Added phishing directory.	2021-10-17 15:22:05 +02:00
Phish-Creds.ps1	Added phishing directory.	2021-10-17 15:22:05 +02:00
README.md	Updated phishing-HTML-linter.py	2022-12-12 23:20:41 +01:00
Various-Macro-Based-RCEs.md	Added phishing directory.	2021-10-17 15:22:05 +02:00
WMIPersistence.vbs	updates	2021-10-24 23:11:42 +02:00
macro-psh-stdin-author.vbs	Added phishing directory.	2021-10-17 15:22:05 +02:00
phishing-HTML-linter.py	Updated phishing-HTML-linter.py	2022-12-12 23:19:11 +01:00
vba-macro-mac-persistence.vbs	Added phishing directory.	2021-10-17 15:22:05 +02:00
vba-windows-persistence.vbs	updates	2021-10-24 23:11:42 +02:00

README.md

CustomXMLPart - Proof of Concept for hiding malware payloads in MS Office Custom XML parts storage structure
DancingRightToLeft.py - A script abusing Right-To-Left Override unicode byte to rename phishing payloads.

PS> py DancingRightToLeft.py 502.html fax

    :: Dancing Right-To-Left

    A script abusing Right-To-Left Override unicode byte to rename phishing payloads.

    Mariusz Banach / mgeeky '22, (@mariuszbit)
    <mb@binary-offensive.com>

INPUT:

    Payload Filename                                 :  502.html
    Payload Extension                                :  ".html"
    Decoy payloads' extension as                     :  ".fax"

OUTPUT:

    Your file was named in following way             :  "502 \u202exaf.html"

    Your filename will look like this (simulated)    :  "502 lmth.fax"
    Your filename will look like this (real display) :  502                                              lmth.fax

decode-spam-headers.py - This tool accepts on input an *.EML or *.txt file with all the SMTP headers. It will then extract a subset of interesting headers and using 79+ tests will attempt to decode them as much as possible.

This script also extracts all IPv4 addresses and domain names and performs full DNS resolution of them. Resulting output will contain useful information on why this e-mail might have been blocked.

Processed headers (more than 67+ headers are parsed):
- X-forefront-antispam-report
- X-exchange-antispam
- X-exchange-antispam-mailbox-delivery
- X-exchange-antispam-message-info
- X-microsoft-antispam-report-cfa-test
- Received-spf
- X-mailer
- X-originating-ip
- User-agent
- X-forefront-antispam-report
- X-microsoft-antispam-mailbox-delivery
- X-microsoft-antispam
- X-exchange-antispam-report-cfa-test
- X-spam-status
- X-spam-level
- X-spam-flag
- X-spam-report
- X-vr-spamcause
- X-ovh-spam-reason
- X-vr-spamscore
- X-virus-scanned
- X-spam-checker-version
- X-ironport-av
- X-ironport-anti-spam-filtered
- X-ironport-anti-spam-result
- X-mimecast-spam-score
- Spamdiagnosticmetadata
- X-ms-exchange-atpmessageproperties
- X-ms-exchange-transport-endtoendlatency
- X-ms-oob-tlc-oobclassifiers
- X-ip-spam-verdict
- X-amp-result
- X-ironport-remoteip
- X-ironport-reputation
- X-sbrs
- X-ironport-sendergroup
- X-policy
- X-ironport-mailflowpolicy
- X-remote-ip
- X-sea-spam
- X-fireeye
- X-antiabuse
- X-tmase-version
- X-tm-as-product-ver
- X-tm-as-result
- X-imss-scan-details
- X-tm-as-user-approved-sender
- X-tm-as-user-blocked-sender
- X-tmase-result
- X-tmase-snap-result
- X-imss-dkim-white-list
- X-tm-as-result-xfilter
- X-tm-as-smtp
- X-scanned-by
- X-mimecast-spam-signature
- X-mimecast-bulk-signature
- X-forefront-antispam-report-untrusted
- X-microsoft-antispam-untrusted
- X-sophos-senderhistory
- X-sophos-rescan
- and more...
Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them.
delete-warning-div-macro.vbs - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. (gist)
gophish-send-mail - This script will connect to your GoPhish instance, adjust HTML template and will send a quick test e-mail wherever you told it to, in attempt to let you quickly test out your HTML code.
MacroDetectSandbox.vbs - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. (gist)
Macro-Less-Cheatsheet.md - Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet (gist)
macro-psh-stdin-author.vbs - VBS Social Engineering Macro with Powershell invocation taking arguments from Author property and feeding them to StdIn. (gist)
Phish-Creds.ps1 - Powershell oneline Credentials Phisher - to be used in malicious Word Macros/VBA/HTA or other RCE commands on seized machine. (gist)

One can additionally add, right after Get-Credential following parameters that could improve pretext's quality during social engineering attempt:
- -Credential domain\username - when we know our victim's domain and/or username - we can supply this info to the dialog
- -Message "Some luring sentence" - to include some luring message
PhishingPost - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML
action parameter.
phishing-HTML-linter.py - This script will help you identify issues with your HTML code that you wish to use as your Phishing template.

It looks for things such as:
- Embedded Images
- Images without ALT
- Masqueraded Links
- Use of underline tag <u>
- HTML code in <a> link tags
- <a href="..."> URL contained GET parameter
- <a href="..."> URL contained GET parameter with URL
- <a href="..."> URL pointed to an executable file
- Mail message contained suspicious words
- Mail message contained unsupported HTML tags
- Mail message contained unsupported HTML attributes
Such characteristics are known bad smells that will let your e-mail blocked.
RobustPentestMacro - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
warnings\EN-Word.docx and warnings\EN-Excel.docx - Set of ready-to-use Microsoft Office Word shapes that can be pasted / inserted into malicious documents for enticing user into clicking "Enable Editing" and "Enable Content" buttons.
WMIPersistence.vbs - Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up. (gist)
Various-Macro-Based-RCEs.md - Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine. (gist)
vba-macro-mac-persistence.vbs - (WIP) Working on VBA-based MacPersistance functionality for MS Office for Mac Macros. (gist)
vba-windows-persistence.vbs - VBA Script implementing two windows persistence methods - via WMI EventFilter object and via simple Registry Run. (gist)
VisualBasicObfuscator - Visual Basic Code universal Obfuscator intended to be used during penetration testing assignments.

README.md

Phishing and Social-Engineering related scripts, tools and CheatSheets