Let's go Phishing with Email!
Sep. 25, 2018•0 likes•779 views
Download to read offline
Report
Technology
In this talk I go through SPF, Sender ID, DKIM, and DMARC to demonstrate and explain how all of these technologies come together to improve your email security. I also showcase a demo of O365 and how vulnerable it is to phishing by common mistakes and demonstrating how the whitelist function is really dangerous.
Wesley KirklandFollow
Recommended
TypeScript no Grupo BandeirantesMVP Microsoft
Google Associate Cloud Engineer Certification TipsDaniel Zivkovic
Secure Code Review 101Narudom Roongsiriwong, CISSP
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...Ignyte Assurance Platform
Pen Testing DevelopmentCTruncer
How to secure your business on the cloud? practical approach from strategy to...Aladdin Dandis
More Related Content
Similar to Let's go Phishing with Email!
The Risks of YOLOing-2.pdfHacken
Adi Bolboacă: Architecture For Disaster Resistant Systems at I T.A.K.E. Unco...Mozaic Works
Don't Diligence Information Security for Lawyersdarrentthurston
Threat Modeling Using STRIDEGirindro Pringgo Digdo
Architecture for Disaster Resistant Systems @I TAKE Unconference 29 05 2015Adi Bolboaca
ClassifierPhamDienHoa
Recently uploaded
INASLA_AI and Landscape Architecture.pptxJonathon Geels
How SACCOs can increase their memberships AD_compressed (1).pdfCoretecDigital
OpenFOAM benchmark for EPYC server: cavity mediumtakuyayamamoto1800
AWS Toolkit.pptxBrandon Minnick, MBA
GDSC Final PPT.pptxDishaSharma737984
Common - Concerns Around OpenAI.pptxAlok Ranjan
![[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf](https://cdn.slidesharecdn.com/ss_thumbnails/wc-kcdgt2023demystifyingetcdfailurescenariosforkubernetes-230819210453-e911a262-thumbnail.jpg?width=2048&height=1162&fit=bounds)
Let's go Phishing with Email!
Let’s go Phishing with Email!
Write-Output “Hello” I’m Wesley Kirkland I have over 3 years of Systems Engineering experience consisting of On Premise, Cloud, and automation. Currently I work at Ministry Brands as a Sr. Systems Engineer working with PowerShell, Azure, and Office 365.
SPF (Sender Policy Framework) ● Declared Experimental in 2006 (RFC4408) ● Proposed Standard (RFC7208) ● DNS Records: TXT and not Type 99 ● VERP (Variable envelope return path) ○ Example: wikipedians- owner+bob=example.org@example.net ● SPF Oddities ● SPF Nesting ● Include Types ○ A ○ MX ○ PTR ○ ip4 ○ ip6 ○ Include ○ Redirect ○ Exists ■ Dynamic ■ %{i}._spf.s$domain.$tld
SPF Types and Errors ● +all ● N/A ● ?all ● ~all ● -all ● TempError ● PermError
SPF 2.0 ● Wait What! ● Sender ID ○ Obsolete ○ Independent ● Microsoft ○ Developer ○ Open Specification Promise ● Example: ○ SPF: v=spf1 include:spf.sign-up.to ~all ○ Sender ID:spf2.0/pra include:spf.sign-up.to ~all ○ Sender ID: spf2.0/pra,mfrom include:spf.sign-up.to ~all ● Major ESPs (Email Service Providers) ○ AOL ○ Bell Canada
DKIM (DomainKeys Identified Mail) ● Proposed Standard in 2007 (RFC4871, RFC6376) ● Digitally signing email via asymmetric encryption ○ Validated via DNS public key ○ selector1._domainkeys.$domain.$tld ● Verify the integrity of your mail across the internet ● Actions (Pass, Fail) ● Adoption
DMARC (Domain-based Message Authentication, Reporting & Conformance) ● SPF Alignments ● DKIM Alignments ● Reporting a. Aggregate b. Forensic ● Policies a. None b. Quarantine c. Reject ● Use cases a. Phishing Protection b. Simplifying Email Delivery c. Domain Reputation ● DMARC on the 2016 Election
Who uses DMARC Policy: None ● apple.com - SPF SoftFail ● cars.com - SPF SoftFail ● cisco.com - SPF SoftFail ● costco.com - SPF HardFail ● dell.com - SPF SoftFail ● delta.com - SPF HardFail ● discover.com - SPF SoftFail ● House.gov - SPF HardFail ● godaddy.com - SPF SoftFail ● kroger.com - SPF HardFail ● salesforce.com - SPF SoftFail Policy: Reject ● americanexpress.com, aexp.com ● britishairways.com ● citibank.com ● facebook.com ● fedex.com ● linkedin.com ● ups.com ● ftc.gov ● senate.gov ● usps.gov ● wellsfargo.com Source: https://dmarc.org/who-is-using-dmarc/
DMARC & Common ESPs ● Sub Domain Quarantine ○ Gmail.com ○ Live.com ○ Hotmail.com ○ Outlook.com ● Quarantine ○ icloud.com ○ Me.com ○ Mac.com ● Reject ○ Yahoo.com ○ Aol.com ● The US Government BOD 18-01 ○ HTTPS Only ○ HSTS ○ STARTTLS ○ SPF/DMARC ○ October 16th, 2018
Commonly Misunderstood Things ● New Domains ● SPF is all your need ● Domain whitelisting
Useful Tools ● DNSTrails ● MXToolbox ● EXCRA ● Dmarcian’s DMARC Inspector ● CheckTLS ● Emkei’s Fake Mailer ● DKIM Validator
O365 Phishing & Fake Email Sending
Bad Bulk Mailers ● SendGrid ● Mandrill/Mail Chimp
Get-Contact ◇ Github: https://github.com/wesleykirkland ◇ Email: wesley@wesleyk.me ◇ Web: wesleyk.me ◇ Linkedin: WesleyKirkland ◇ Twitter: @UnleashTheCloud All examples can be found be found below https://github.com/wesleykirkland/PowerShell- Email-Security
Editor's Notes
- Who likes email, and the management of it? - Pause Yes? You must be lying, email is a sin and an absolutely terrible thing to manage. No? Good because neither do I, everything I’m presenting on is from a lesson learned standpoint I will be presenting on email security, routing, security, and some really useful websites that you may not know about
- Why did I do this? A little over a year ago I switched jobs to Ministry Brands to become a Sr. Systems Engineer, with my primary project being to migrate the company to Office 365 I got thrown into the deep end on this and had to learn from the ground up, and I’m hoping to share some of my lessons learned Every major email system in so many different accounts (~50 different environments) Rackspace Exchange/IMAP G Suite On Premise Exchange AppRiver O365 This is not about the migration path, but more on how I learned about email security
- It feels like SPF is old, but it’s really not that old by true standards, SPF is primarily a authentication mechanism SPF uses the alignment of the domain in the return path of a message SPF is not always an option, some providers are incapable of adjusting their return paths. Which makes them SPF incapable What I thought about SPF It was a hard yes/no You have/had to have it It was unlimited in length We use Campaign Monitor at work and it’s SPF incapable, what is funny is they are not aware of it as their support doesn’t realize it Variable Return paths are called VERP Very useful for mass mailers By encoding the recipient address in the left half of the email mass mailers can track bounces better Email halfs left vs right Some DNS providers will offer a resource record type of 99, this is a legacy standard leftover from RFC4408 (Section 3.1.1) Odd Things 10 DNS lookup limit Designed by Scott Kitterman to reduce latency, and DNS abuse, DNS DOS attacks Mimecast is one of the major providers who observes this DNS string concatenation This can be used for when you have SPF records over 255 characters, Route 53 supports this and you just can’t have spaces in between your records https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html Still limited to 512 characters/octets (8 bits to an octet) SPF Nesting This is a very common practice, you include a SPF record like GSuite. Since GSuite has so many sending IPs and to avoid DNS string concatenation they include sub SPF records Example on my personal domain https://mxtoolbox.com/SuperTool.aspx?action=spf%3awesleyk.me&run=toolpage Example on discovery.com This one is good since it actually https://mxtoolbox.com/SuperTool.aspx?action=spf%3adiscovery.com&run=toolpage Types A A records on a domain, if not domain is specified then the current domain in scope MX This is just a pet peeve of mine, specify it in CIDR or a DNS include For example rackspace is a massive email server, their MX servers are not their sending server(s) PTR - Discouraged Causes excessive DNS lookups IP (CIDR or IP) IP4 IP6 Include Note if a include fails with a perm error it will be passed back up the tree Redirect Simply redirect your SPF record Dynamic This has the ability to create a dynamic SPF record with unlimited DNS includes Salesforce.com uses this for their MTA (Mail Transport agent) One option may to do SPF flattening - https://dmarcian.com/spf-survey/ You have to keep this up to date, a few online services assist with this fraudmarc.com ondmarc.com Source: http://www.openspf.org/SPF_Record_Syntax
- SPF Fails +all - The owner of the domain doesn’t care or thinks SPF is useless N/A - None this is the default when you register a domain ?all - Neutral, the sending server does not specifically authorize or deny any sending IPs ~all - SoftFail, the sending server has a list of authorized IPs and is a weak statement that suggests it’s not an authorized sender and the publisher hasn’t locked down their SPF record Many email providers will suggest an ~all record for implementation, this basically means anyone can send as you -all - HardFail, if the sending IP isn’t in the SPF it’s not authorized to send on behalf of the domain Various types of errors TempError - This is typically a transient DNS error, in which the packet was lost. Further checks generally are successful PermError - This means the publishers DNS records could not be interpreted correctly Fun fact O365 will cut you some slack and treat two separate SPF records O365 will also do other fun things for you so you almost always accept email Why -all isn’t always an option Earlier I mentioned SPF incapable mailers, this is the only legitimate reason for ~all (SoftFail) This would only be used when you have non compliant SPF mailers and your recievers don’t comply with DMARC Source: https://tools.ietf.org/html/rfc7208
- I actually learned about this while doing research on this topic, Microsoft was a large supporter of Sender ID and licensed it Eventually it was put under the Microsoft Open Specification Promise - https://en.wikipedia.org/wiki/Sender_ID#Intellectual_property Not compatible with all open source licenses including GNU 3.0 The OSP is not a licence, but rather a Covenant Not to Sue. It promises protection but does not grant any rights. It’s not actually SPF 2.0 and never will be, it’s called Sender ID Example - Notice how they are almost exactly the same?, which SPF Sender ID - pra (Purported Responsible Address) Sender ID - pra (Purported Responsible Address)/mfrom (Mail From) PRA Purported Responsible Address - Selected via a algorithm Sources: http://www.openspf.org/SPF_vs_Sender_ID https://support.signupto.com/hc/en-gb/articles/201806438-An-introduction-to-SPF-Sender-ID-and-DKIM https://tools.ietf.org/html/rfc4407 https://en.wikipedia.org/wiki/Sender_ID#Intellectual_property
- Used to verify the integrity of your mail in transit, primarily for mail authentication Usually you sign the body of the messages only, most email providers modify headers in transit Actions - DKIM does not inform the receiver to take a specific action Pass - Your mail might as well be happy Fail - You can take action on this and mark it as spam or straight up reject Adoption Has not been as fast as had hoped Besides security, it really only helps with DMARC Notes Some older versions of Exchange modify the body which invalidates it for forwarding Yahoo modifies the body to say forwarded by Yahoo Sources: https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/
- DMARC - I can remember almost every IT acronym except for this which is to long! DMARC is all about policy enforcement, your protecting your Brand Identity and your users Email forwarding DMARC can actually break email forwarding and break it 100% if you don’t use DKIM During forwarding the return path is modified and will invalidate SPF, another technology that Google is a supporter of it ARC (Authenticated Received Chain) DKIM survives email forwarding most of the time, unless you modify the content of the email Show dmarcian example of DMARC forwarding breakag Something to remember, all your doing is preventing your brand/mail from getting spoofed. You still need to properly train your users. SPF Alignment Things to note, SPF does not survive mail forwarding or indirect mail flows such as SDR (Split Domain Routing) Aligning the return path domain/ips to your SPF record DKIM alignment Relaxed - Digitally signed with DKIM from a domain and it’s signature verifies Strict - Digitally signed with DKIM on the sending domain, signing domain and header from domain match Reporting NOTE: O365 does not publish DMARC reports and there are no plans to - https://blogs.msdn.microsoft.com/tzink/2018/05/21/a-way-to-sort-of-approximate-dmarc-aggregate-reports-in-office-365/ Aggregate - Just take my word on this, pay for an actual aggregation service instead of digging through the reports yourself. It’s a bunch of varying XML Forensic - Individual copies of redacted emails with header information Note: Google does not believe in RUF reports for security reasons Privacy Concerns Potentially high in volume Not required to successfully deploy dmarc Policies None - Used for data gathering Quarantine - Ask the mail provider to quarantine your mail for further analysis or send it to junk You can do this in percentages with a specific tag, so it’s not a all or none event Reject - Straight up reject any non compliant mail Use cases Phishing Protection Marking all legitimate and out right rejecting non legitimate mail Simplifying Email Delivery If mail is DMARC compliant, then it’s safer to bypass spam scanning on messages especially form trusted senders SPAM filters are just a super complicated set of rules to see if your mail is legit, and all mail is legit on the internet right? Domain Reputation Less dependant than IPs - Example O365 uses the same IPs for everyone, same thing with Symantec, Mimecast, Rackspace, Sendgrid, Mailchimp, etc. Wouldn’t a reputation for your domain be better than a shared IP address? DMARC on the 2016 Election donaldjtrump.com is 100% vulnerable to spoofing even to this day Hillaryclinton.com had a quarantine policy in place Fun stuff How Microsoft.com went to DMARC quarantine - https://blogs.msdn.microsoft.com/tzink/2016/09/27/how-we-moved-microsoft-com-to-a-pquarantine-dmarc-record/ EOP and DMARC: https://blogs.msdn.microsoft.com/tzink/2014/12/03/using-dmarc-in-office-365/
- I’m not showing who is in quarantine mode, as it’s a ramp up process except when your at 100%. Then you’re waiting to flip the switch.
- This is an example of major ESPs and their DMARC policies, at work with some of our web hosting customers. They like to blame us when they spoof a major ESP and their mail doesn’t get through. So we then have to explain to them they don’t own their gmail/aol address, but rather they are using a service they don’t control. BOD 18-01 Securing our governments internet facing infrastructure Forcing HTTPS/HSTS connections Mail servers must offer STARTTLS SPF and DMARC must be implemented for first and second level domains Disable legacy encryption protocols Secure Sockets Layer (SSL)v2 and SSLv3 are disabled on mail servers 3DES and RC4 ciphers are disabled on mail server October 16th, 2018 This is the final compliance date and all government domains MUST be compliant Current goverment DMARC rollout - https://www.securityweek.com/dmarc-fully-implemented-half-us-government-agencies
- When you register a new domain it is 100% open to any email spoofing it? This is because there are no restriction SPF is all you need When I first started my job I was a big believer in SPF because that’s all I ever learned Domain Whitelisting I’ve actually discovered a fairly massive bug within Rackspaces emailsrvr.com infrastructure that fails to validate DKIM signing Their current workaround is to whitelist any email containing a specific header based upon the header from address, I’ll let you ponder that one for a moment As for domain whitelisting as a whole this is a terrible idea, Mimecast actually informed me about it. If you whitelist a domain, your allowing in any mail that claims to be that domain, and it doesn’t have to validate any checks (FACT CHECK, and test)
- If time allows show a demo of each one of these DNSTrails - Historical DNS information, really useful for diagnosing when DNS errors occurred and for phishing MXToolbox - This website just does everything, SPF, DKIM, DMARC, Header Analysis, DNS, WHOIS, Network checks, TL;DR: It’s amazing and free! EXCRA - Microsoft Header Analysis tool, a.k.a Microsoft Remote Connectivity Analyzer Dmarcian’s DMARC Inspector, show all tags and implied tags CheckTLS - Verify a mail servers security against all possible MX/IP records quickly. Also proof email addresses easily Emkei’s Fake Mail - Test against phishing/spoofing attacks DKIM Validator - Verify SPF and DKIM alignments and information
- Who wants to volunteer their personal email domain Demo RDP phishing.thatsnothowthat.works:3389 Showcase our domains “security features” SPF - Hard Fail DMARC - Reject Junk Mail Filtering - Or lack of it Connectors and transport rules, we are not applying any inbound protection Test with whitelist of our internal domain I’ve been able to successfully test this in a hybrid environment and bypass the spam filter. This is because O365 is not very secure by default, and cares more about deliverability rather than security Show lucidchart diagram - https://www.lucidchart.com/documents/view/10784609-a0f8-4eab-9d9b-2b8d4a9fed62 Note how my fake emails get marked as junk This wasn’t true when I started this demo, maybe try on work VPN if time allows SCL is 9 Need to do more testing, I’m getting SCLs ranging from 5-9 Examples: Fake mailer on wesleyk.me the DMARC rejection will come to SPAM Header analysis demo Fun story about a semi local company in town I identified they weren’t spoofed but hacked and emailed them on how to fix their email, I ended up getting a response form their CEO in less than 24 hours
- Sendgrid - You just need an API key and sendgrid will let you send as any domain without any kind of verification that your affiliated with the domain. This truely pisses me since they have no default security and primarily care about profit Sendgrid doesn’t have a way to find out what domains you are spoofing which is very annoyinh Mandrill - Mandrill has a bad taste in my mouth from when the shut down their API service and went to Mailchimp only MailChimp - Only requires a email verification to start sending mail You just have to receive an email at the domain and click a verification link They don’t require you to do SPF and DKIM validation
- Some more notes about our environment We straight up rejection non DMARC compliant mail for our internal DMARC compliant domains We don’t whitelist senders, we make them make their mail compliant Unless they straight up do a SPF hardfail, or fail DKIM then we mark them as spam If they fail DMARC then we bounce the message I only know of one false positive and that was a lastpass forwarded message and they have an active DKIM signing issue It actually requires a significant amount of effort to truly whitelist a domain in Mimecast We employ a tactic called greylisting, yeah it pisses some of our users off. But we bounce 1200 messages a week currently that don’t even make it to spam Displayed above is my contact information. There is a shameless self plug that I would like to mention. You will see “The PowerShell Conference Book”, earlier this year I had a wonderful opportunity to contribute to this book. It’s designed to be conference style talks written in each chapter. With over 30+ chapters, each author is a SME on each subject that they have written about. All royalties go directly to the Devops Collective OnRamp scholarship fund, which helps underrepresented individuals get a head start in the IT Industry. If you are above above a intermediate user to advanced user I highly suggest you check out this book.