GKSEC

All about HW2021

HW相关

众所周知,一年一度的HW马上又要开始了,又要把压箱底的东西拿出来了。

钓鱼邮件

前几天收到一封钓鱼邮件,发现是由菲律宾某GOV邮局代发,完美过QQ/OUTLOOK的SPF且即使Sender和From不同,也不会显示代发,非常奇怪,本来想留着HW的时候用,但是发现漏洞已经被修复,菲律宾邮局接口关了。

Received: from 122.49.209.176 (unknown [122.49.209.176])
    by newmx31.qq.com (NewMx) with SMTP id 
    for <admin@gksec.com>; Tue, 23 Feb 2021 18:42:12 +0800
X-QQ-FEAT: VZ9o1bCAgxXhJ5JjaEt64xNWpwNNeb4F
X-QQ-MAILINFO: MjJD59SVx+Lnzeh9os5Sktg2QqGdVW0rXWRQY8pvTDa60pdQeZcNkDc/i
    A8WS9EiTJPrp68xjxS9vMpGY8ClErEw4lV6Sr9PgtgJgkcGsgrn
X-QQ-mid: mxszc62t1614076931tl7z8vacc
X-QQ-ORGSender: test@gmail.com
X-QQ-XMAILINFO: NiR88pJ0cSzWnlX2bctiNgDW4Q46hp/t3ki4Q/q4Nn2BreiQ41mpqxfzDygEfJ
     2lVsuRQQau0ODyGr98+r1uDfZCpu+j6doGFJ+jTVUdNBsqPbdBfPiAH0loSOmW8dpg/YcYR1MwQx
     JqOqinlKYdmaZJrYRGk83gmOeqOnL8N30SMyP7ph37gdQg72e1vHMlO9LILIN6U8apFXGfDmMaag
     MyzreudLxZSaA2PtAOSiqfDll5pojnPCbLHDTVUDeqU8Wk9TEg/Ub74EHzghc6J9WH6yqEHsjGhB
     LntDVcjU1IeqA1zhWVoaMhCTHVKfmOoXbRzqAgoe3yEtphroMSDIL2OptQ7MsBgmjAFOtAiZeQRn
     OFAGT4zgQsIPXhYbFtgsRuQ+dnN5IQTO3M0ytbm+W9SGEuFDhgYE0WDlhJhnIwDFswHyZ74ZgGXz
     aQvl7S9u5EPlhYNJ3Uw/TBn1424cMid7RgFkpDn7nergN7o+d/Sd5CjXNo778zpRv649KMH2GDX0
     9AtzgOygV6lL2yp5gmCFaLloURGST3AQMoOOuP9cTDwgJwZMfbukyAICr6UHFoH6Upc6mL7PFNnj
     Wz7y9AhxNX27kMBZ8GjR2h7NLoQnoEGDbpA2kiRm0Bkn2FnqhNIGuJyJfPnnQgsRCw+nHrT0QMpi
     QP8+waeRQ0DEvCoqaWW3mweSQ/i/qYiUCD19ENi8nPM3WgpDWg+Imev8wbSeK8a1sI+ciMPufeLi
     VSXlqorFDuaX4ofCr0j2v4G0UMoPzBc7ZzqTc+UuKSslp1k53Hejkg4/5FDU3nqHL1eQKA1/mBmp
     u/TyN2i+sYgKPNYKWjQ9xTUJPMBAuo/B1NTQ+7VLIABg==
Received: from localhost (localhost [127.0.0.1])
    by mail.marina.gov.ph (Postfix) with ESMTP id B34094C0EF54;
    Tue, 23 Feb 2021 18:40:40 +0800 (+08)
Received: from mail.marina.gov.ph ([127.0.0.1])
    by localhost (mail.marina.gov.ph [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id pTt6-K3cQPy6; Tue, 23 Feb 2021 18:40:40 +0800 (+08)
Received: from localhost (localhost [127.0.0.1])
    by mail.marina.gov.ph (Postfix) with ESMTP id 8C4D94C0F408;
    Tue, 23 Feb 2021 18:40:40 +0800 (+08)
X-Virus-Scanned: amavisd-new at mail.marina.gov.ph
Received: from mail.marina.gov.ph ([127.0.0.1])
    by localhost (mail.marina.gov.ph [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id C3dUTC9xbHzF; Tue, 23 Feb 2021 18:40:40 +0800 (+08)
Received: from [192.168.0.192] (unknown [10.0.0.1])
    by mail.marina.gov.ph (Postfix) with ESMTPSA id E11FC4C0EF54;
    Tue, 23 Feb 2021 18:40:28 +0800 (+08)
Content-Type: multipart/alternative; boundary="===============0586596872=="
MIME-Version: 1.0
Subject: DONATION
To: Recipients <test@gmail.com>
From: test@gmail.com
Date: Tue, 23 Feb 2021 11:40:13 +0100
Reply-To: azimpemji158@gmail.com
Message-Id: <20210223104028.E11FC4C0EF54@mail.marina.gov.ph>

You will not see this in a MIME-aware mail reader.
--===============0586596872==
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body

The sum of $790,000USD has been donated to you by Mr. Azim Hashim, Respond =
back for more details email via azimpemji158@gmail.com=20
--===============0586596872==
Content-Type: text/html; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3Diso-8859-1"/></head>The sum of $790,000USD has been donated to you by Mr=
. Azim Hashim, Respond back for more details email via azimpemji158@gmail.c=
om
</html>
--===============0586596872==--

简单分析后发现应该是攻击者利用了菲律宾政府邮箱的漏洞拿到了邮件服务器权限,然后批量发送钓鱼邮件。
那我就直接拿来用swaks一把嗦,以下是我测试时利用成功部分截图。




所以提供了一个新思路,是否大厂邮局是否靠检测gov域名为白名单?

红队

BurpShiroPassiveScan

https://github.com/pmiaowu/BurpShiroPassiveScan

超级弱口令检测工具

https://github.com/shack2/SNETCracker

流量搅屎

https://github.com/burpheart/mbtm

私有化部署DNSLog

https://github.com/yumusb/DNSLog-Platform-Golang

HOOK相关

https://github.com/Mr-Un1k0d3r/RedTeamCCode

LSBShell

https://github.com/Ch1ngg/LSBShell

SecureCRT密码解密

https://github.com/HyperSine/how-does-SecureCRT-encrypt-password

资产扫描

https://github.com/EdgeSecurityTeam/EHole
https://github.com/r0eXpeR/redteam_vul

默认密码检测

https://github.com/0xHJK/TotalPass

Redis一把嗦

https://github.com/pan3a/Redis-Getshell/

蓝队

后门检测工具

https://github.com/huoji120/DuckMemoryScan

高精度IP

https://h-k.pw/ 获取使用权限请邮件联系本人

当前页面是本站的「Google AMP」版。查看和发表评论请点击:完整版 »