记一次钓鱼邮件攻防演练环境准备(1)

发表于 | 分类于

前记

       近期可能得帮客户做一个钓鱼邮件的攻防演练,本来以为写个python调用一下几个大厂的smtp发送一下就完事了,没想到几个大厂的安全措施做的还是不错的各种拦截,哈哈。也不敢到网上用别人的smtp,最后没办法就自己动手在本地搭建一套smtp服务器去实现了,初步计划在本地自建Named+postfix实现邮件发送,然后用python调用smtp把邮件发出去,如果对方有all组的话就不用批量发了直接发给all组就可以了,搭建后测试效果发现还不错。因为是自建的服务器没有什么安全设置,可以把域名设置成和对方相似的域名,这样增加钓鱼的成功率,并任意添加账户,账户名可以和对方高层一样。
       关于结果收集方面还没想好,本来以为可以直接上个url比较简单,但是对方从内网访问到公网的ip记录下来的ip是出口ip,这样就没法定位到是哪个员工中招了,除非对方有浏览器漏洞,在钓鱼的页面插入pyload记录本地地址,但是这很依赖用户的浏览器版本。目前的想法是做一个word,利用word较新的漏洞,去记录本地信息并回传到我们的服务器,但这在目标机器执行了代码,估计还得协商一下哈哈。

DNS服务器搭建及配置

  • 安装named 
1
yum install named
  • 修改/etc/named.conf主配置文件设置监听的端口,配置文件,转发请求等,主要修改内容为:
    • 把listen-on port 53、listen-on-v6 port 53、allow-query改为any,允许所有人访问dns服务器
    • 添加 forward first、forwarders {114.114.114.114;}; ,在本域解析不了的请求发往114.114.114.114查询 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

options {
	listen-on port 53 { any; };
	listen-on-v6 port 53 { any; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { any; };
	forward first;
	forwarders {114.114.114.114;};

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
  • 修改/etc/named.rfc1912.zones添加解析域文件
    • 添加test.com域的正向域解析文件
    • 添加218.168.192.段的反向解析文件 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
zone "localhost.localdomain" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};

zone "localhost" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};

zone "test.com" IN {
	type master;
	file "test.com.zone";
	allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
	type master;
	file "named.loopback";
	allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
	type master;
	file "named.loopback";
	allow-update { none; };
};

zone "0.in-addr.arpa" IN {
	type master;
	file "named.empty";
	allow-update { none; };
};

zone "218.168.192.in-addr.arpa" IN {
	type master;
	file "192.168.218.in-addr.arpa.zone";
	allow-update { none; };
};
  • 创建正向解析文件test.com.zone,并添加MX和A记录 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#从模板复制到test.com.zone文件
cp -p /var/named/named.empty /var/named/test.com.zone

#文件内容test.com.zone
$TTL 1D
@	IN SOA	@ rname.invalid. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	@
	A	127.0.0.1
	AAAA	::1
	MX 10 	mail.test.com
www	    A	192.168.218.111
mail	A	192.168.218.155
  • 创建反向解析文件192.168.218.in-addr.arpa.zone,并添加MX和PTR记录 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#从模板复制到192.168.218.in-addr.arpa.zone文件
cp -p /var/named/named.loopback /var/named/192.168.218.in-addr.arpa.zone

#文件内容192.168.218.in-addr.arpa.zone
$TTL 1D
@	IN SOA	@ rname.invalid. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	@
	A	127.0.0.1
	AAAA	::1
	MX 10 	mail.test.com
	PTR	test.com
111	PTR 	www.test.com
155	PTR 	mail.test.com
  • DNS指向本地IP,启动named服务器并测试结果 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#启动服务
systemctl start named

#测试结果
[root@localhost ~]# nslookup mail.test.com
Server:		192.168.218.155
Address:	192.168.218.155#53

Name:	mail.test.com
Address: 192.168.218.155

[root@localhost ~]# nslookup 192.168.218.155
Server:		192.168.218.155
Address:	192.168.218.155#53

155.218.168.192.in-addr.arpa	name = mail.test.com.218.168.192.in-addr.arpa.

Postfix服务器搭建及配置

  • 安装Postfix 
1
yum install postfix
  • 修改主配置文件main.cf,主要的配置参数如下:
    • myhostname:设置邮件服务器主机名称
    • mydomain:设置域
    • myorigin:设置组织
    • inet_interfaces:设置监听IP
    • inet_protocols:设置监听协议
    • mydestination:设置邮件接收域
    • mynetworks:设置本地网络
    • relay_domains:设置转发哪些外域的邮件
    • home_mailbox:设置邮箱目录 
1
2
3
4
5
6
7
8
9
myhostname = mail.test.com
mydomain = test.com
myorigin = $mydomain
inet_interfaces = 192.168.218.155
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 192.168.218.0/24
relay_domains = all
home_mailbox = Maildir/
  • 启动postfix并测试结果 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#启动服务
systemctl start postfix

#测试结果
Connecting to 192.168.218.155:25...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
220 mail.test.com ESMTP Postfix
helo mail.test.com
250 mail.test.com
mail from:jack@test.com
250 2.1.0 Ok
rcpt to:tom@test.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
test jack
.
250 2.0.0 Ok: queued as 478604037620
quit221 2.0.0 Bye


#查看用户邮箱信息
[root@localhost ~]# cat /home/tom/Maildir/new/1531024382.Vfd00I4037626M605433.localhost.localdomain 
Return-Path: <jack@test.com>
X-Original-To: tom@test.com
Delivered-To: tom@test.com
Received: from mail.test.com (unknown [192.168.218.1])
	by mail.test.com (Postfix) with SMTP id 478604037620
	for <tom@test.com>; Sun,  8 Jul 2018 00:32:42 -0400 (EDT)

test jack

python调用smtp服务器

       这个地方踩了坑比较多,本来想用本地的smtp发送个邮件到QQ邮箱,结果发不出去,看一下日志,我靠我家的IP被封了?我都没用QQ邮箱,之后我又往google发,也告诉我IP信誉度低被拒收了,感觉我家的IP被人盗用了:(,后来测试往163发没有问题,这里真吐槽一下QQ邮箱的防护,发一个subject“项目进度”都是垃圾邮件~
image
image
       第二个问题就是邮件的编码问题,一开始我的[‘From’]和[‘TO’]是这么写的,结果收件人显示乱码。 

1
2
message['From'] = Header("张总", 'utf-8')
message['TO'] = Header("全体员工", 'utf-8')

image
       在网上查了一下,[‘From’]和[‘TO’]以变量的形式引入才不会乱码,至于效果我在163邮箱是得到证实的,不过每个邮件系统可能还有区别,需要多去测一测。

image

最后的代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#! /usr/bin/env python
# -*- coding: UTF-8 -*-

import smtplib
from email.mime.text import MIMEText
from email.header import Header

sender = 'jack'
receivers = ['18756994059@163.com']

mail_host = '192.168.218.155'

message = MIMEText('test mail', 'plain', 'utf-8')
# message['From'] = Header("张总", 'utf-8')
message['From'] = "%s<jack@test.com>" % Header("张总", 'utf-8')
message['TO'] = "%s<18756994059@163.com>" % Header("全体员工", 'utf-8')
message["Accept-Language"] = "zh-CN"
message["Accept-Charset"] = "ISO-8859-1,utf-8"

subject = 'test'
message['Subject'] = Header(subject, 'utf-8')

try:
    smtpObj = smtplib.SMTP(mail_host, 25)
    smtpObj.sendmail(sender, receivers, message.as_string())
    print "邮件发送成功"
except smtplib:
    print "邮件发送失败"

后记

       至此,前面的发送阶段应该问题不大了。重点是如何把钓鱼的结果收集上来,后面先测试一下用OFFICE文件进行钓鱼的效果,目前也只想到这一种较好的方法,访问统计由于只能统计到出口地址应该是不可行了。