PHISHING – LESSON 1

MX RECORD – iti arata dns ul server ului de mail – numele (cum se numeste server ul care hosteaza ip ul
respectiv) – comanda nslookup si scrii ip ul

Introducere headere

Linii de date din email care contin informatii useful

Message id – se creeaza o data particular pt fiecare mesaj din email

Hop-uri – jurnalul – de unde a pornit mail ul pana unde a ajuns

Reply to – spufez mail ul – acolo nu se afla sender ul original

Return path – sa aflii sender ul original

Rezultatele autentificarilor - SPF, DKIM, DMARC

SPF – arata ip urile care sunt alocate domeniurilor de mail.(SE DA LOOKUP PT SPF) – PASS / FAIL

a- Toate ip urile din domeniul respectiv poate trimite mail uri

mx – iti arata ip urile sau serverele

include – toate

all toate

SPF – 4 rezultate:

1. Pass – inseamna ca a trecut

2. Hardfail – nu a trecut
3. Softfail – administratorul domeniului crede ca ip urile nu s autorizate dar nu i-a o actiune
4. Neutral – administratorul domeniului nu vrea sa arate care s ip urile autorizate

DKIM – aloca o cheie cripografica mail ului – e clar ca e sigur / creeaza si hash

Algoritmii DKIM-ului:

V = versiunea

A – algoritm de criptare

D – domeniul care a semnat mesajul

H – ce headere sunt bagate in hash

B – semnatura criptografica a headerelor

DMARC – primeste ok daca a trecut de spf sau dkim

Click dreapta inspect – network – cauti la header cele de php -si te dupa POST (acolo unde si-a bagat
credentiale si a trimit date)

Tool de sandbox – urlscan.io te uiti si unde au scanat altii

In base64 – modul principal de criptare

Cyberchef - decriptez

Cand ai 2 de egal la final inseamna ca e base64

Drive by download – cand din greseala intri pe url si descarci cv malicious

SocGholish – are la baza zip si javascript – da comanda whoami si si creeaza un temp cu datele extrase
din calculator

Recomandari: izoleaza calc, blocheaza ip, hash si daca e compromise reinstall all

DNS poisoning – se face request catre ip ul de C&C -

Dns spoofing - cand server ul de dns este clonat

Threat Intelligence is the analysis of data using tools and techniques to generate meaningful information
about existing threats targeting organization that helps mitigate risks. (Alien Vault, IBM, CISCO TALOS)

A whaling attack is a phishing attack that targets a senior executive.

Smishing is phishing through some form of a text message or SMS.

Spear phishing is an email or electronic comunitcations scam that involves targeting a specific individual,
organization or bussiness to try to steal their login credentials.

Vishing, which is short for "voice phishing," is when someone uses the phone to try to steal information.
The attacker may pretend to be a trusted friend or relative or to represent them.

LDAP (Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory
services authentication.

LDAP provides the communication language that applications use to communicate with other directory
services servers. Directory services store the users, passwords, and computer accounts, and share that
information with other entities on the network.
CLI – COMMAND LINE INTERFACE - is an interface for user to issue commands in the form of successive
lines of text or command lines to perform the tasks. (for exemple: nslookup, ip config, )

UI – USER INTERFACE – ALLOWS USERS TO INTERACT WITH ELECTRONIC DEVICES THROUGH GRAPHICAL
ICONS AND VISUAL INDICATORS.

COMENZI:

WHOAMI –

THE LINUX PROVIDES “LS” COMMAND IN ORDER TO LIST FILES AND FOLDERS.

Windows MS-DOS and PowerShell command-line interface provide the dir command in order to list files
and folders.

WHOAMI – is the command that displays the user, group, privileges information for the user who is
currently logged on to the local system. If used without parameters, whoami display the current domain
and user name. Whoami can also exploited by the attackers. For exemple, SocGholish employs several
scripted reconnaissance commands. While much of this activity occurs in momory, one that stands out is
the execution of whoami with the output redirected to a local temp file with naming convention rad<5-
hex-chars>.temp.

Java script – care incepe sa ruleze whoami Atac prin drive by download

Si e periculos ca datele sunt livrate direct catre C2.

VULN SCAN -