BlackMailed - BSides SATX 2015

BlackMailed
The art of email intelligence
gathering, hackery, and the
idiocracy of it all.
May 2, 2015
Copyright © 2015. Lumenate Technologies, LP. All rights reserved.

About Me
Copyright © 2015. Lumenate Technologies, LP. All rights reserved.2
• Retired USAF Master Sergeant
• IT Security, 23 years
• Network Traffic Analysis
• Digital Forensics/Malware Analysis
• Hacking/Pentesting
• Certified C|EH & Security+
• SAHA!/AHA!
• Hacking since ‘86! (C-64 & Amiga)
• Karaoke Junkie!

Agenda
• Dark Internet Mail Environment (DIME)
• RFC5322 – Internet Message Format
• Internet Message Header
• Message Header Generators (Client vs Server)
• Case Study: Interesting Artifacts
• Imagine the Possibilities
• Hacker FunTime, Yeah!
• Closing Time

Dark Internet Mail Environment (DIME)
Don’t be afraid of
the Dark!

Dark Internet Mail Environment (DIME)
• 4 Fathers (Git IT? Like forefathers?)
• Ladar Levison (Lavabit)
• Phil Zimmerman (PGP)
• Jon Callas (PGP, co-founder of Silent Circle)
• Mike Janke (co-founder of Silent Circle)
• DIME
• New protocol & replacement for IMAP, called DMAP
• Thunderbird spin-off called Volcano Mail to support DIME
• End to End encryption
• 2 Pennies
• Don’t think it will be quickly implemented everywhere if at all
• DNSSEC, think about the speed of deployment & adoption

RFC5322 - Internet Message Format
RFC is more what
you'd call
guidelines than
actual rules.

RFC5322 - Internet Message Format
• Message divided into lines of characters
• Line terminated by CR &LF (ASCII 13 & 10)
• Limitations no more than 998 characters per line
• Recommended 78 characters, not including CR/LF
• Message Header – field name, colon, field body
• e.g. Delivery-date: Fri, 08 Feb 2013 19:15:03 -0800
• Message Body – the data after the Message Header
• Separated by the first CR/LF/CR/LF
• If MIME identified, Multipart will contain a Content-Type with a
boundary string

RFC5322: Example Message

Internet Message Headers

Internet Message Headers
• MAIL FROM (SMTP command)
• RCPT TO (SMTP command)
• DATA (SMTP command)
• Envelope-to (recipient message delivered to)
• Delivery-date (date/time message delivered to email service/client)
• Received (list of message server hops needed to reach the mailbox)
• From (displays who the message is from)
• To (displays who the message is to)
• Subject (displays the subject of the email)
• Content-Type (format of the message)
• Message-Id (unique string assigned when message is first created)
• Date (date when the email was composed)
• X-Mailer (Mail client used)
• Content-ID (Reference embedded data within HTML)
• User-Agent (Like a browser)

Message Header Generators

What Generates the Message Headers?
Good question, “Face Riddler”!
• Clients
• Thunderbird
• Outlook
• Web Mail
• Servers
• Postfix
• Sendmail
• Exchange
• Relays
• Same as servers, with autoforward
• Security Tools
• Ironport
• Baracuda
• Proofpoint

Mail Client (Android email 4.2.2.0400)
Mail Server (Exim 4.80)
Return-path: <user1@test.com>
Envelope-to: user2@test.com
Delivery-date: Mon, 09 Mar 2015 15:22:46 -0700
Received: from mobile-XX-XX-XX-XX.mycingular.net ([XX.XX.XX.XX]:30287
helo=[XX.XX.XX.XX])
by smtp.test.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.80)
(envelope-from <user1@test.com>)
id 1YV64T-0005E1-CB
for user2@test.com; Mon, 09 Mar 2015 15:22:45 -0700
Date: Mon, 09 Mar 2015 17:22:39 -0500
Subject: Test Message
Message-ID: <a8cty6gci5w8ps6qa8ey2trx.1425939758643@email.android.com>
Importance: normal
From: "James B." <user1@test.com>
To: Iv0ryW0lf <user2@test.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--
_com.android.email_1810186420646610“

Received: from mobile-XX-XX-XX-XX.mycingular.net ([XX.XX.XX.XX]:30287
helo=[XX.XX.XX.XX])
by smtp.test.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.80)
id 1YV64T-0005E1-CB
Date: Mon, 09 Mar 2015 17:22:39 -0500
Message-ID: <a8cty6gci5w8ps6qa8ey2trx.1425939758643@email.android.com>
Importance: normal
From: "James B." <user1@test.com>
To: Iv0ryW0lf <user2@test.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--
_com.android.email_1810186420646610“

Mail Server (Exchange Server & Ironport)
Return-path: <prvs=503ac6043=user4@test.com>
Envelope-to: user@test.org
Received: from gateway.test.com ([XX.XX.XX.XX]:31360 helo=smtp.test.com)
by smtp2.test.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.80)
(envelope-from <prvs=503ac6043=user4@test.com>)
id 1YV62G-0004wv-3R
for user@test.org; Mon, 09 Mar 2015 15:20:28 -0700
X-IronPort-AV: E=Sophos;i="5.11,370,1422943200";
d="scan'208,217";a="3129279"
Received: from server.test.biz (HELO server.test.com) ([172.26.10.15])
by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 17:20:27 -0500
Received: from server.test.biz ([::1]) by server.test.biz
([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 17:20:27 -0500
From: James Boyd <user4@test.com>
To: Iv0ryW0lf <user@test.org>
(Continued on next slide)

Return-path: <prvs=503ac6043=user4@test.com>
Envelope-to: user@test.org
by smtp2.test.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.80)
(envelope-from <prvs=503ac6043=user4@test.com>)
id 1YV62G-0004wv-3R
for user@test.org; Mon, 09 Mar 2015 15:20:28 -0700
d="scan'208,217";a="3129279"
Received: from server.test.biz (HELO server.test.com) ([172.26.10.15])
To: Iv0ryW0lf <user@test.org>

Thread-Topic: Test Message
Thread-Index: AdBatz48+W1T4OygRUGexKrXonooBg==
Date: Mon, 9 Mar 2015 22:20:26 +0000
Message-ID: <jmbkj4i5a0x8wc1ckc3sr2s2.1425939380752@email.android.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative;
boundary="_000_jmbkj4i5a0x8wc1ckc3sr2s21425939380752emailandroidcom_"
MIME-Version: 1.0
X-Spam-Status: No, score=-1.8
X-Spam-Score: -17
X-Spam-Bar: -
X-Spam-Flag: NO

Thread-Index: AdBatz48+W1T4OygRUGexKrXonooBg==
Date: Mon, 9 Mar 2015 22:20:26 +0000
Message-ID: <jmbkj4i5a0x8wc1ckc3sr2s2.1425939380752@email.android.com>
X-MS-Has-Attach:
Content-Type: multipart/alternative;
boundary="_000_jmbkj4i5a0x8wc1ckc3sr2s21425939380752emailandroidcom_"
MIME-Version: 1.0
X-Spam-Score: -17
X-Spam-Bar: -
X-Spam-Flag: NO

Mail Client (Gmail version 5.0.1 (1642443))
Received: from cpe-XX-XX-XX-XX.satx.res.rr.com ([XX.XX.XX.XX]:36549
helo=[XX.XX.XX.XX])
by smtp.test.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128)
(Exim 4.80)
id 1YVAZ3-0004Ic-Pe
Date: Mon, 09 Mar 2015 22:10:30 -0500
From: James `Iv0ryW0lf` Boyd <user1@test.com>
To: user2@test.com
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64

Mail Client (Gmail version 5.0.1 (1642443))
Received: from cpe-XX-XX-XX-XX.satx.res.rr.com ([XX.XX.XX.XX]:36549
helo=[XX.XX.XX.XX])
by smtp.test.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128)
(Exim 4.80)
id 1YVAZ3-0004Ic-Pe
Date: Mon, 09 Mar 2015 22:10:30 -0500
From: James `Iv0ryW0lf` Boyd <user1@test.com>
To: user2@test.com
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Is Something
Missing?

Mail Client (Gmail Version 5.0.1 (1642443))
Return-path: <prvs=504468ce4=user4@test.com>
by server.test.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.80)
(envelope-from <prvs=504468ce4=user4@test.com>)
id 1YVAQt-0003Zg-7A
d="scan'208";a="3130663"
Received: from server.test.biz (HELO smtp1.test.com) ([172.26.10.15])
To: "user1@test.com" <user1@test.com>

Return-path: <prvs=504468ce4=user4@test.com>
(Exim 4.80)
(envelope-from <prvs=504468ce4=user4@test.com>)
id 1YVAQt-0003Zg-7A
d="scan'208";a="3130663"
Received: from server.test.biz (HELO smtp1.test.com) ([172.26.10.15])

Thread-Index: AdBa3pkkGKXsFcpoT5O+Wn5hBWH5Ug==
Date: Tue, 10 Mar 2015 03:02:09 +0000
Message-ID: <24691FB1F4BBC1303824DF2F0AE0B8A7@server.test.biz>
X-MS-Has-Attach:
Content-Type: text/plain; charset="utf-8"
Content-ID: <83B5A0DF6BC31F4FADA6DF2562C2B1DB@test.biz>
MIME-Version: 1.0
X-Spam-Score: -17
X-Spam-Bar: -
X-Spam-Flag: NO

Mail Server (GMail)
Return-path: <test@gmail.com>
Received: from mail-oi0-f54.google.com ([209.85.218.54]:39544)
(Exim 4.80)
(envelope-from <test@gmail.com>)
id 1YVAaD-0004Na-NH
Received: by oigi138 with SMTP id i138so33232364oig.6
for <user2@test.com>; Mon, 09 Mar 2015 20:11:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=dKWTxk78twWIZ8v+fZ2Tnbc/noQKgx5iq9KCPakTkkU=;
b=0pctzPh4gY9szcMXg796gt7E5865wfX1K35W8oY1zPgL6/jzuWdjd4kJ4WMtR

Mail Server (GMail)
MIME-Version: 1.0
X-Received: by 10.60.103.116 with SMTP id
fv20mr24693840oeb.2.1425957108489;
Mon, 09 Mar 2015 20:11:48 -0700 (PDT)
Received: by 10.76.124.68 with HTTP; Mon, 9 Mar 2015 20:11:48 -0700 (PDT)
Date: Mon, 9 Mar 2015 22:11:48 -0500
Message-ID: <CALTWypa6+KYYQ9syd0mc2L=WRfm8ZFyJcncozU8-
+hWK=C6rKw@mail.gmail.com>
From: James Boyd <test@gmail.com>
To: user2@test.com
Content-Type: multipart/alternative; boundary=089e01160664eaa19c0510e68202
X-Spam-Score: -15
X-Spam-Bar: -
X-Spam-Flag: NO

Mail Server (GMail)
MIME-Version: 1.0
X-Received: by 10.60.103.116 with SMTP id
fv20mr24693840oeb.2.1425957108489;
Mon, 09 Mar 2015 20:11:48 -0700 (PDT)
Date: Mon, 9 Mar 2015 22:11:48 -0500
Message-ID: <CALTWypa6+KYYQ9syd0mc2L=WRfm8ZFyJcncozU8-
+hWK=C6rKw@mail.gmail.com>
From: James Boyd <test@gmail.com>
To: user2@test.com
Content-Type: multipart/alternative; boundary=089e01160664eaa19c0510e68202
X-Spam-Score: -15
X-Spam-Bar: -
X-Spam-Flag: NO

Mail Client (Outlook 2013 v15.0.4693.1002)
Return-path: <prvs=5039f90b3=user3@test.com>
by smtp.test.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.80)
(envelope-from <prvs=5039f90b3=user3@test.com>)
id 1YV2yT-0005C6-7K
d="png'150?scan'150,208,217,150";a="3126585"
Received: from smtp.test.biz (HELO smtp2.test.com) ([XX.XX.XX.XX])
Received: from smtp.test.biz ([::1]) by smtp.test.biz
From: User 3 <user3@test.com>

Return-path: <prvs=5039f90b3=user3@test.com>
by smtp.test.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.80)
(envelope-from <prvs=5039f90b3=user3@test.com>)
id 1YV2yT-0005C6-7K
d="png'150?scan'150,208,217,150";a="3126585"
Received: from smtp.test.biz (HELO smtp2.test.com) ([XX.XX.XX.XX])
Received: from smtp.test.biz ([::1]) by smtp.test.biz
From: User 3 <user3@test.com>

Thread-Index: AdBam5KRVOla9s5AR8qAXJaFPO3Xdg==
Date: Mon, 9 Mar 2015 19:04:18 +0000
Message-ID: <5527EAB237A7384AADEEF88EAC1A399F15520CEE@smtp.test.biz>
X-MS-Has-Attach: yes
x-originating-ip: [XX.XX.XX.XX]
Content-Type: multipart/related;
boundary="_004_5527EAB237A7384AADEEF88EAC1A399F15520CEEXXXX01xxx_";
type="multipart/alternative"
MIME-Version: 1.0
X-Spam-Score: -18
X-Spam-Bar: -
X-Spam-Flag: NO

Case Study: Interesting Artifacts

Artifact: Received
Received: from [190.107.180.194] (port=38287 helo=booking.yeah)
by my.mailserver.com with esmtp (Exim 4.80)
(envelope-from <clearsj@booking.yeah>)
id 1YgFBp-000410-OG
for me@mydomain.com; Thu, 09 Apr 2015 09:20:32 -0700
190.107.180.194
AS262235
Country: PE
Registration Date: 2012-06-01
Registrar: lacnic
Owner: NETLINE PERU SA,PE
booking.yeah
Non-authoritative answer:
Name: booking.yeah
Address: 5.57.16.220
Non-authoritative answer:
220.16.57.5.in-addr.arpa name = www.booking.yeah.

Artifact: Dates
Delivery-date: Thu, 09 Apr 2015 09:20:33 -0700
id 1YgFBp-000410-OG
Date: Thu, 9 Apr 2015 12:20:25 -0400
GMT -0400 = EDT (GMT -0500 would be EST)
GMT -0700 = PDT (GMT -0800 would be PST)
Peru = GMT -0500 (Same time as EST, if we didn’t care about
Daylight)

Artifact: Email Addresses
Return-path: <clearsj@booking.yeah>
Envelope-to: me@mydomain.com
id 1YgFBp-000410-OG
From: “Phishinator" <clearsj@booking.yeah>
To: me@mydomain.com
NO! FaceRiddler, the email is not legitimate. Let me finish!
Booking.yeah!
Seems Legit!

Artifact: Some Others
Subject: Hola my photo
Content-Type: multipart/mixed;
boundary="----------E1062B15A4DA712"
X-Spam-Status: No, score=2.1
X-Spam-Score: 21
X-Spam-Bar: ++
X-Spam-Flag: NO
------------E1062B15A4DA712
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
hola my new photo , send u photo
------------E1062B15A4DA712
Content-Type: application/zip; name="my_new_photo372647863278462387.zip"
Content-Disposition: attachment; filename="my_new_photo372647863278462387.zip"

Imagine the Possibilities

Imagine the Possibilities
- Fingerprinting email clients/servers
- Map email relays
- Discover email client/server options
- Determine the hostname of the origin of the email
- Add data to intelligence framework
- What else can an adversary/cracker/media hacker/script kiddie do?

Hacker FunTime, Yeah!

World of E-Craft
- My Setup (VirtualBox, Linux Mint, Sendmail, Python)
- Message Header (To, From, Subject, MIME-Version, Content-Type)
- Message Body (Whatever I want!!! And attachments!)
Python Snippet
smtp = smtplib.SMTP('127.0.0.1',25) #Sendmail running first
smtp.sendmail(from_msg, to_msg.split(','), email_full)
smtp.close()
- IP & Port can be set to external email relays
- from_msg & to_msg is for the SMTP server
- email_full contains all headers & body
- See above…Whatever I want!!!

World of E-Craft: Why?
- Generate phishing emails (hopefully based on real emails)
- Email Client/Server Fuzzing/Exploit (testing the limits)
- Change your own SPAM rating (Yep…all good!)
- Hide Data? Yes!!!
Python Snippet (Section of email_full)
X-NINJA: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAA…
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAA4fug4AtAnNIbgBT0h…
VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0A…
AAAAAAABdFx3bGXZziBl2c4gZdnOIGXZziAp2c4jlVmGIGHZziFJY2Zd…
- X-NINJA is a made up header field
- X-NINJA data is tini.exe (3k Windows backdoor)
- What else could you do? Data exfiltration
maybe?
- 418 lines/78 char base64 in my config, 23k or so
- Documentation states NO LIMITS!!!

Interesting Artifacts: Black Hat Edition,
Literally

Interesting Artifacts
- SPAM headers (Spam Assassin, IronPort, etc)
- Test your well-crafted emails
- AntiVirus headers (Sophos, Trend Micro, McAfee)
- Bypass outdated AV engines
- Virus Total test
- Received headers (Servers as Relays? Yes, please!)
- Scrape potential usernames, server IP/hostname
- Potential exploit of mail server based on version
- X-Mailer headers (Web client, Outlook, etc)
- Find weakness in clients…ATTACK!
- User-Agent headers (See X-Mailer)
- Still ATTACKING!
- And much, much, more!

Thank You
Email Samples
- HD Moore
- SAHA!/AHA!
- Jeff Schrunk
Support
- BSidesTexas
- SAHA!/AHA!
- iSec Partners – Austin
- Lumenate
- Brenda Boyd

Closing Time
eMail.1: James.Boyd@lumenate.com
eMail.2: iv0ryw0lf@satxhackers.org
Twitter: @Iv0ryW0lf
G-Stuff: iv0ryw0lf.01001001@gmail.com
Any Questions?

Thank you.

BlackMailed - BSides SATX 2015

Recommended

Recommended

More Related Content

Similar to BlackMailed - BSides SATX 2015

Similar to BlackMailed - BSides SATX 2015 (20)

Recently uploaded

Recently uploaded (20)

BlackMailed - BSides SATX 2015