SOC安全防護(hù)輿維運(yùn)-針對(duì)性社交工程最新手法輿案例解析宏碁電子化服務(wù)事業(yè)群安全技術(shù)輿管理處葉輝煌副理-安全技術(shù)管理處資安一部技術(shù)副理?學(xué)歷：-臺(tái)灣科技大學(xué)資訊工程所碩士?工作經(jīng)驗(yàn)：?專業(yè)認(rèn)證：-動(dòng)力安全資訊股份有限公司系統(tǒng)工程師講師簡歷-律峰科技有限公司資訊管理部副理一年代資訊科技股份有限公司製作中心系統(tǒng)管理主任?專長：-惡意程式事件調(diào)查、主機(jī)入侵事件調(diào)查、IDP規(guī)劃輿管理、Linux/FreeBSD/Windows規(guī)劃輿管理、防火牆規(guī)劃輿管理、應(yīng)用程式防火牆規(guī)劃輿管理、VPN規(guī)劃輿管理、防垃圾郵件?針對(duì)性社交工程手法-資料竊取輿密碼側(cè)録實(shí)例-針對(duì)性社交工程輿鑑識(shí)實(shí)務(wù)-反鑑識(shí)社交工程實(shí)例?最新案例解析-竊取密碼-置換防毒元件-各種工具解析針對(duì)性社交工程手法發(fā)送對(duì)象無針對(duì)性勞委會(huì)、新聞局等釣魚郵件實(shí)例(1)發(fā)送對(duì)象無針對(duì)性勞委會(huì)、新聞局等名片簿偏好般定Webmail隠藏信匣·收件匣編段重送回覆4前一封全部回夜蔣奪封隨易蓮里X用除移動(dòng)友備列印被裂主旨：FW:現(xiàn)代人的相親標(biāo)單糧祝郟件標(biāo)明故溫幽告信期智清信軟慢或下款已用412MB/50CME奇件："scyu"cscyu@.tw>新增規(guī)則新增名片ha6305@twpigmacgovtwclaudedowmacgovtwYenmailclagovtw常用信醫(yī)7曰副木：Yumi@,tw,littlebsar@.tw,pkchenmallgiogovtwwaitingmailgiogovtw我的信件匣「搖相]收件匣(181)刪除鄄件自同!2008-07-1109105742如此相輥.zip(133.7kb)FromjjmiaujjmiaumailnckueeSubject:FW:現(xiàn)代人的相親標(biāo)輩eSubject:FW:現(xiàn)代人的相親標(biāo)輩現(xiàn)代人的相親標(biāo)輩：男相女一漂亮優(yōu)先!(見附件，超般搞笑)YOUAREUSINGTHENCKUWE以文字吸引收件者開敲附加7/119:05:收到主旨為「F現(xiàn)代人的相親標(biāo)輩的信，立爽帶一個(gè)「如此相親.zip收件人有陛委會(huì)、客委會(huì)編精重送回全部回質(zhì)轉(zhuǎn)寄|×用重點(diǎn)：本案例內(nèi)容輿點(diǎn)選開敗附檔temp-Windovs回片和傅具被貌器女男相相男女強(qiáng)路上的方部強(qiáng)漂壯亮篇焉優(yōu)優(yōu)先先上一頁mqperfmqperfdllmpg4ds32.axmprapidllngo移至msadds32.axmsadp32.scm鍵盤側(cè)録軟體運(yùn)作實(shí)況-輸出後檢視內(nèi)容，發(fā)現(xiàn)KeyLogger的紀(jì)録檔-記録使用者所有的鍵盤活動(dòng)a961129外交部智越長umDe1Num6Num6BackspaceBackspaceNum4Num4Num4BackspaceBackspaceBackspaceBackspaceBackspaceBackspaceNum6Num6BackspaceBackspaceNum4Num4BackspaceBackspaceBackspaceBackspaceNum6Num6Explorer9Tab室旁邊吃麵側(cè)録內(nèi)容力-∠Vum6Num6Num6Num6Num4NumDelNumDelNumDelNumDeum69ackspace0ru8nter?8説他較想去-98HI-對(duì)話trl?au/48gjiw8rul4vu:3fm4nter?g6dj4g4q;61u0tau04iter?ruackapaceBackapaceEnter?5k4u;4ji3ru4dk3u356ru,fu6rul3w84tkeji4fm4nter?um4NumNumNumNumNumNumNumNumPgUp52釣魚郵件實(shí)例(2)?客戶觸發(fā)可疑連線，進(jìn)行事件鑑識(shí)，瞭解觸發(fā)連線的來源程式192.11726180搜尋可疑之原始檔案客戶A之調(diào)查-針對(duì)連線前後期間所開敗過之可疑檔案、不安全檔案(例如不明寄件者的信件夾檔)進(jìn)行瞭解、菟集，業(yè)找出其關(guān)聯(lián)性重點(diǎn)：本案例為精心設(shè)計(jì)之釣魚郵件，內(nèi)容輿發(fā)送對(duì)象均為針對(duì)性使用者於2007/8/2910:31收到陸委會(huì)邱XX所寄送出的郵件，主旨為使用者於2007/8/2910:31收到陸委會(huì)邱XX所寄送出的郵件，主旨為陸委會(huì)機(jī)密函，附檔為奧運(yùn)聖火協(xié)商報(bào)告.rargov.tmmkict客戶之SMTPServerTed,29-Hu200710:3153+0900Received:fromc10.tw([22])byWed,29Aug200710:38:52+0800Received:from([39])byc10g.twwithESMTP;29Aug200710:38:52+0800X-IronPort-AntiSnamFilteredtrneof0-Message-ID:<C973A9658C2B4DDCBFB4EF7E0BsmallbusinesslocalFrom:=?big5?B?s7CpZbd8IKr0q6ulvw=?=<ccs@.tw>To:<Indisclosed-Recipient:@;>Subject:=?big5?B?s7CpZbd8IL73sUuo5w=?=X-MSMail-Priority:NormalX-Mailer:MicrosoftOutlookExpress6.00.3790.3959X-MimeOLE:ProducedByMicrosoftMimeOLEV6.00.3790.4073Return-Path:ccs@mac.goy.twX-OriginalArrivalTime:29Aug200702:38:52.0546(UTC)FILETIME=[BCAB1620:01C7E9E5]採様檔案掃描/測試針對(duì)採様之可疑檔案進(jìn)行掃毒確認(rèn)檔案名稱病毒名稱/類型(參考Virustotal掃描結(jié)果，2007/9/2)判斷可疑或異常掃描軟體比例TrojanDownloaderWinSmaBackDoor-CEP.svrBackDoor-CEP.svr-以下為各可疑程式可能有的嘗試連線動(dòng)作：採様業(yè)送趣勢檢查檔案名稱趨勢判讀結(jié)果(回覆日期，2007/8/30) _ mictwifg.exe mstdc.exe ?冒用長官或是相關(guān)部會(huì)的名義，以社交工程手法寄出攻撃信?收件者多為局長朋友，攻撃者冒用局長名義寄送釣魚郵件，降低收件者戒心?若未做好Office更新，就會(huì)被入侵成功釣魚郵件實(shí)例(4)?98年06月19日發(fā)生?冒用○○部名義，發(fā)送釣魚郵件?本案例的惡意程式，有自我保護(hù)機(jī)制，發(fā)現(xiàn)有偵查行為時(shí)將不動(dòng)作蓿案D編輯它校脫V)我的最葉()工具①)說明國上一頁搜尋資料夾檔案類型離線檔案資料夾畫面資料夾的方式套用到所有資料夾。套用到所有資料火山重設(shè)所有資料火(K)自動(dòng)搜尊潤路資料夾和印表橫使用簡易檔案共用(建議使用)隠藏已知榴案類型的副檔名隱藏保護(hù)的作業(yè)系統(tǒng)檔案(建議使用)隱藏臨案和資料夾漫原成預(yù)設(shè)值(①)確定取消用漏址Da 釣魚郵件實(shí)例(5)?某客戶收到一封疑似釣魚郵件的電子郵件，因此提供給宏碁進(jìn)行檢查。下午11.00下午11.00可疑程式分析(續(xù))IESCCEDCariesSyamemaPintMonitorsLSAProvidersNetworkProvidersHKLMSOFTWAREMicaosoftWindowsCunentVexsiomRuHKCUSOFTWAREMicmsofNhtemetEkplcuerDesktoplCompHKLMSOFTWAREMicneaflAotiveSetiuplhestalpaogamfileswmwrauewmwsupogamfileslwmwouewmwsHKLMSystemlCumentContolSetServiHKLMSystemlCumentContolSetSerripoguamfileslwmwouelwmpogamfileshwmaselwmwauetoolswmwoFilenotfoundCAWINDOWSystemADaverslChanFilenotfoudCAWINDOWSSystFilenotfoundWINDOWSSystemDnFilenotfound:CAWINDOWSSystemDiversPCIDFilenotfoundWINDOWSSystemDaversPDCOProcessExplorerigfxmgrexeigf藏身於explorer.exe之下，但explorer.exe沒有連線行為，反而是呼叫IEXPLORER.EXE進(jìn)行連線。thnnlncomARIESCCEDAClnieISAShallEapotVessicnMicasoaftCapuatianYWindowsEoploerMinsofCopustoVMwToclrtsywmthiocstNameDesoapHandleorDLLsubstring:ofxmgr.exelSearchCancelcbrenlsNDOWSlsyst.iocale.nlspowS\esathey.nlsINDOWSlsyst.Hondl.CW/DOW\ghgDoW?'yst..uucodenlsNDOWS'yst.ADVAPBdIAdvacedNDOWSvtCRYPT32ⅢCryptoANDOWS'systCRPTIMionosotNDOWS'systGDICletmmowsltRahot1eabd-FocesEx下午1102更強(qiáng)大的HashDump程式?gsecdump.exe較getHash程式更強(qiáng)，只要擁有administrator的權(quán)限，便可直接Dump出AD上所有帳號(hào)的Hash值C:\>"\\7\c$\DocumentsandSettings\nientzu\桌面\DC1\malware\gsecdumpgsecdumpubyJohannesGumbeljohannedump1sasecretsdumpnicrosoftwirelessconnectionsg4eeaad3b435b51404ee:de57f11cd3bdc1c620ca17891135651404ee:fc7e376dt6bdddcd84b42959143e9b51404ee:c4fcc5ba5ao6254624c507416t257736124a43a1d91a081d4b37861:9fb416194bf36399ad0dc130435651404ee:4728540a05eat70ebe77a6435651404ee:0742ae12810a70b9d78613ba9213615651404ee:85aed35a25d7d1a594bec34c94ca9d0f:e60bee91c412ede18bafde3e0dce493593b7a:5e5c08caccd845926128700663fact651404ee:43c138941723e5*7649671150ea85b51404ee:0e1d7dbed3bf243a4955dae21b6d15f7164314b90:66c9d1cbb9de125551404**:**9868*69*90408736*815651404ee:d68798330876b9abeacfb90738c5d9:52cd0852571902946aacd2t74a391181efe281b:cf78057c638d5aed51dab2a9441bb:92b7b06bb313bf666640c5a1e75e025e429m9e:1madfc5006ce615c9e9d2e1d9f625Becdf409:ebf6ad7065b508111749710d893f5d05:13fa662707;29cfe83501509c2e876e1beeefcaf1ffe89:664070a8f9dbalbd2cea484ebbedla1a5e3a0:48bcfa41a5c6ceb5f24e6d24473234718a7ee:bc69298fd0odac6ate3t43b8920c56b51404ee;fe94302acec370fe0b4940ec3beaef1bbf040493b:c22b315c040aefe0efee3518d830362b就可以抓出所有的帳號(hào)輿hash值單位全部的帳號(hào)全都露單位全部的帳號(hào)全都露此檔案解開後發(fā)現(xiàn)是該單位所有帳號(hào)木密碼的Hash值?利用getHashes竊取密碼Hash值4.dat相黃(H)編輯(日)格式(O)檢源(V)栽明(H)asp:500:B8BB9F51AAAA1608844D4465F9469701:CD77F84F3965137AAEC6C510D1CAst:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFEOD16AE931B73C59tgt:502:AAD3B435B51404EEAAD3B435B51404EE:E0436E7075C9A929B2A93F1BD_RY2KAD01:1001:F87951F29E8E3B33824B801C91847B63:E164657C37BD3DE3CCD21634FA_ V2KAD01:1002:405073214BA482BE47BE1804F4AE8760:87E7772C3CEE11E6D48E00CEA9091DB0 TV2KAD00:1117:EBB7A4CC570EDAF7B7138A67861733E0:0C1BA11BF7A2AB7B079BC80BC829_ang:1118:8495F134453C82C69CD42B84A471CFC0:FBC9057D63D809D19A7B14157D15ang:1119:49CBB252E322F732BB2773FD22582BEB:D4676EB542F454CF7C4626C03E3Fa:1120:74EC89EEACE60C009B815A8B4B00F93F:7939239A169CF325341338752029u:1121:233CE3480C7B26B73832C92FC614B7D1:DDC6B050D91F56D930541017FC7B0E21:1122:B7B390AB98F2DE0B2C5AE1F1CFB9210F:F8F5D9F282B910BBBBngnh:1123:E7F94C1B93B3DDC8B0D3662B97EBED58:7DC936C762311143CA5BB87640B902n1c:1124:754DB021D0818E77C81667E9D738C5D9:8D120F7BFDAF411D3306D924638009en:1126:3DD27BA0523E8944C2265B23734E0DAC:38C147786B246BA43F538EDFFuang:1127:22C181D54C6D6944695109AB020E401C:D591463B0F492A19D98C5403767C49Cang2:1128:6CB38F99BCA567B9A09B3648F98A0284:5DEDC9C279446D25B14ED66B1843in:1131:952F488BF4F1E729BC072032DB80553E:4F4C3D585FCOBEEEAADsieh1:1133:5940799FD52E1D231AB027A4BBC8ID4D:7ACFD9F37CA4C250BCBEA1:1136:B6FA683C3151051FC2265B23734E0DAC:7B76D0F8AFOCA586F22:1138:3AA09B7D3C1A05C436077A718CCDF409:18ACA5C336849207159D322C9ACa4:1140:9666355C7D856EFBC2265B23734E0DAC:5C6CDAF6DOB9ADAOE859AAF2DABBa5:1141:8BOCB89C2CF0888SC34DBA145F6B05AA:CSEB8F9FFDDE2891D6D69B9FBBEDa6:1142:C653450E17D66A4236077A718CCDF409:300900C8CFB8156B35CBA502CC24A979:::a8:1143:63BBD6431C8D86E436077A718CCDF409:CD642E9206DB4DBD20902SC047EE7ED9:::a9:1144:BD490D1C2596124C6C469IC0029EBE9F:DAEEBE7E3B5572DAF73F6E560B95B955:::c:1145:D828CDE679663E9D93E28745B8BF4BA6:153709FB6EBF84FA13935CACCEu1:1146;D55697D51824FA3DC9E04F959D38CCB0:4DAA871C734685C9C534177E64279F4u:1147:DOEBCB6CF3425BE609752A329383ID17:BDFB03B2158BCD75A08C016D88F019B0:1148:97CB39D23640F7C06BA2730853FC2C19:2F7C7965118D995ACB7877D54879sia:1149:F4D35F566ADFC83925AD3B83FA6627C7:AE16C8FE665013B0C0EDAFau:1151:14A07582BC299556382A5EF502CE946B;B1B80C02CBEIBEEEC9F359B07D87u:1154:8836089E4FBA2EODC2265B23734EODAC:CODF566168B87C59E49EE6FC387624Bhan:1155:8DF50C33A1163DA5695109AB020E401C:C42811B800B66EF63CBC998CA1875Diu:1157:DC401407FE9C337C2C5AE1F1CFB9210F:7722C33A8C32433AADBhiu:1159:D7515FBAAA526ADA2EAC541D19BC1646:74BA7D2270FC0FF00888C77C519670ang:1161:FA73D18703A8B0699C5014AE4718A7EE:3C12126EFCOBE3E76661D15982DANONYNOUSUSER:1166:085A478104E74FCAE31F3E471306F31B:7C3045D697843D06D8AFDEE36508C45_aw:1168:A21E98AE483CBDBA82E8A8181514656E:445AE264B5793678DCE7AC4ACBCBRV2KAD00:1169:06280222090578B8F4A5EC2279CB5887:F6FE6496CBB289D9383947E6914_RV2KAP02:1170:9F940E5892307DF3201F9975E62308CF:AA90898272E60910643DFCE6CAA_RV2KDC01:1171:0ED39A319B3D721C177D4C208C17ED49:4C030B4F2B9AF9DC63C4C637555_使用者懼后上一頁首頁命名新的帳戶這個(gè)名稱會(huì)出現(xiàn)在歡迎使用盤面和[開始]功能表·下一步(N)取消重點(diǎn)：本案例取得之重點(diǎn)：本案例取得之Hash值，也可暴力破解。暴力破解密碼難度是如此容易變更Tony變更Tony的密碼您即將寫Tony重設(shè)密碼·如果您運(yùn)座做的話，Tony將失去所有EFS-加密檐案、回人憑證、儲(chǔ)存的弱站密碼或弱路育源·建立9位數(shù)密碼，以hhhh1234!為例使用者根戶7正在建立安主的密碼 密碼破解範(fàn)例(續(xù))?利用gh.exe(GetHashes)來抓取密碼Hash值?指令“程式名稱$Local”,ex:gh$LocalAdministrator:500:AAD3B435B51404EEAAD3B435B51404EE;31D8CFE0016AE931B7305907E0C08aries:1003:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDCCBAGuest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73HelpAssistant:1000:DC81AC92E070FF829968C4E9E3749CE8:7AAE2C53A70AAB2ADSUPPORT388945a0:1002:AADSB435BEEAADSBEEEFBFFA_Tony;1005:AAD3B435B51404EEAAD3B435B51404EE:9FA