SlideShare a Scribd company logo

BlackMailed - BSides SATX 2015

James Boyd
James Boyd

The document discusses email intelligence gathering and hacking. It provides an agenda that will cover the dark internet mail environment, email headers, analyzing header generators from clients and servers, an interesting case study, and closing with hacker fun time. The presenter is a retired USAF master sergeant with experience in IT security, networking, forensics, hacking and pentesting. Examples of email headers are provided from different mail clients and servers.

Technology
1 of 49
BlackMailed The art of email intelligence gathering, hackery, and the idiocracy of it all. May 2, 2015 Copyright © 2015. Lumenate Technologies, LP. All rights reserved.
About Me Copyright © 2015. Lumenate Technologies, LP. All rights reserved.2 • Retired USAF Master Sergeant • IT Security, 23 years • Network Traffic Analysis • Digital Forensics/Malware Analysis • Hacking/Pentesting • Certified C|EH & Security+ • SAHA!/AHA! • Hacking since ‘86! (C-64 & Amiga) • Karaoke Junkie!
Agenda Copyright © 2015. Lumenate Technologies, LP. All rights reserved.3 • Dark Internet Mail Environment (DIME) • RFC5322 – Internet Message Format • Internet Message Header • Message Header Generators (Client vs Server) • Case Study: Interesting Artifacts • Imagine the Possibilities • Hacker FunTime, Yeah! • Closing Time
Dark Internet Mail Environment (DIME) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.4 Don’t be afraid of the Dark!
Dark Internet Mail Environment (DIME) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.5 • 4 Fathers (Git IT? Like forefathers?) • Ladar Levison (Lavabit) • Phil Zimmerman (PGP) • Jon Callas (PGP, co-founder of Silent Circle) • Mike Janke (co-founder of Silent Circle) • DIME • New protocol & replacement for IMAP, called DMAP • Thunderbird spin-off called Volcano Mail to support DIME • End to End encryption • 2 Pennies • Don’t think it will be quickly implemented everywhere if at all • DNSSEC, think about the speed of deployment & adoption
RFC5322 - Internet Message Format Copyright © 2015. Lumenate Technologies, LP. All rights reserved.6 RFC is more what you'd call guidelines than actual rules.
RFC5322 - Internet Message Format Copyright © 2015. Lumenate Technologies, LP. All rights reserved.7 • Message divided into lines of characters • Line terminated by CR &LF (ASCII 13 & 10) • Limitations no more than 998 characters per line • Recommended 78 characters, not including CR/LF • Message Header – field name, colon, field body • e.g. Delivery-date: Fri, 08 Feb 2013 19:15:03 -0800 • Message Body – the data after the Message Header • Separated by the first CR/LF/CR/LF • If MIME identified, Multipart will contain a Content-Type with a boundary string
RFC5322: Example Message Copyright © 2015. Lumenate Technologies, LP. All rights reserved.8
RFC5322: Example Message Copyright © 2015. Lumenate Technologies, LP. All rights reserved.9
RFC5322: Example Message Copyright © 2015. Lumenate Technologies, LP. All rights reserved.10
Internet Message Headers Copyright © 2015. Lumenate Technologies, LP. All rights reserved.11
Internet Message Headers Copyright © 2015. Lumenate Technologies, LP. All rights reserved.12 • MAIL FROM (SMTP command) • RCPT TO (SMTP command) • DATA (SMTP command) • Envelope-to (recipient message delivered to) • Delivery-date (date/time message delivered to email service/client) • Received (list of message server hops needed to reach the mailbox) • From (displays who the message is from) • To (displays who the message is to) • Subject (displays the subject of the email) • Content-Type (format of the message) • Message-Id (unique string assigned when message is first created) • Date (date when the email was composed) • X-Mailer (Mail client used) • Content-ID (Reference embedded data within HTML) • User-Agent (Like a browser)
Message Header Generators Copyright © 2015. Lumenate Technologies, LP. All rights reserved.13
What Generates the Message Headers? Copyright © 2015. Lumenate Technologies, LP. All rights reserved.14 Good question, “Face Riddler”! • Clients • Thunderbird • Outlook • Web Mail • Servers • Postfix • Sendmail • Exchange • Relays • Same as servers, with autoforward • Security Tools • Ironport • Baracuda • Proofpoint
Mail Client (Android email 4.2.2.0400) Mail Server (Exim 4.80) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.15 Return-path: <user1@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 15:22:46 -0700 Received: from mobile-XX-XX-XX-XX.mycingular.net ([XX.XX.XX.XX]:30287 helo=[XX.XX.XX.XX]) by smtp.test.com with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.80) (envelope-from <user1@test.com>) id 1YV64T-0005E1-CB for user2@test.com; Mon, 09 Mar 2015 15:22:45 -0700 Date: Mon, 09 Mar 2015 17:22:39 -0500 Subject: Test Message Message-ID: <a8cty6gci5w8ps6qa8ey2trx.1425939758643@email.android.com> Importance: normal From: "James B." <user1@test.com> To: Iv0ryW0lf <user2@test.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-- _com.android.email_1810186420646610“
Mail Client (Android email 4.2.2.0400) Mail Server (Exim 4.80) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.16 Return-path: <user1@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 15:22:46 -0700 Received: from mobile-XX-XX-XX-XX.mycingular.net ([XX.XX.XX.XX]:30287 helo=[XX.XX.XX.XX]) by smtp.test.com with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.80) (envelope-from <user1@test.com>) id 1YV64T-0005E1-CB for user2@test.com; Mon, 09 Mar 2015 15:22:45 -0700 Date: Mon, 09 Mar 2015 17:22:39 -0500 Subject: Test Message Message-ID: <a8cty6gci5w8ps6qa8ey2trx.1425939758643@email.android.com> Importance: normal From: "James B." <user1@test.com> To: Iv0ryW0lf <user2@test.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-- _com.android.email_1810186420646610“
Mail Client (Android email 4.2.2.0400) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.17 Return-path: <prvs=503ac6043=user4@test.com> Envelope-to: user@test.org Delivery-date: Mon, 09 Mar 2015 15:20:28 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:31360 helo=smtp.test.com) by smtp2.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=503ac6043=user4@test.com>) id 1YV62G-0004wv-3R for user@test.org; Mon, 09 Mar 2015 15:20:28 -0700 X-IronPort-AV: E=Sophos;i="5.11,370,1422943200"; d="scan'208,217";a="3129279" Received: from server.test.biz (HELO server.test.com) ([172.26.10.15]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 17:20:27 -0500 Received: from server.test.biz ([::1]) by server.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 17:20:27 -0500 From: James Boyd <user4@test.com> To: Iv0ryW0lf <user@test.org> Subject: Test Message (Continued on next slide)
Mail Client (Android email 4.2.2.0400) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.18 Return-path: <prvs=503ac6043=user4@test.com> Envelope-to: user@test.org Delivery-date: Mon, 09 Mar 2015 15:20:28 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:31360 helo=smtp.test.com) by smtp2.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=503ac6043=user4@test.com>) id 1YV62G-0004wv-3R for user@test.org; Mon, 09 Mar 2015 15:20:28 -0700 X-IronPort-AV: E=Sophos;i="5.11,370,1422943200"; d="scan'208,217";a="3129279" Received: from server.test.biz (HELO server.test.com) ([172.26.10.15]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 17:20:27 -0500 Received: from server.test.biz ([::1]) by server.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 17:20:27 -0500 From: James Boyd <user4@test.com> To: Iv0ryW0lf <user@test.org> Subject: Test Message (Continued on next slide)
Mail Client (Android email 4.2.2.0400) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.19 Thread-Topic: Test Message Thread-Index: AdBatz48+W1T4OygRUGexKrXonooBg== Date: Mon, 9 Mar 2015 22:20:26 +0000 Message-ID: <jmbkj4i5a0x8wc1ckc3sr2s2.1425939380752@email.android.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: multipart/alternative; boundary="_000_jmbkj4i5a0x8wc1ckc3sr2s21425939380752emailandroidcom_" MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 X-Spam-Score: -17 X-Spam-Bar: - X-Spam-Flag: NO
Mail Client (Android email 4.2.2.0400) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.20 Thread-Topic: Test Message Thread-Index: AdBatz48+W1T4OygRUGexKrXonooBg== Date: Mon, 9 Mar 2015 22:20:26 +0000 Message-ID: <jmbkj4i5a0x8wc1ckc3sr2s2.1425939380752@email.android.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: multipart/alternative; boundary="_000_jmbkj4i5a0x8wc1ckc3sr2s21425939380752emailandroidcom_" MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 X-Spam-Score: -17 X-Spam-Bar: - X-Spam-Flag: NO
Mail Client (Gmail version 5.0.1 (1642443)) Mail Server (Exim 4.80) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.21 Return-path: <user1@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 20:10:38 -0700 Received: from cpe-XX-XX-XX-XX.satx.res.rr.com ([XX.XX.XX.XX]:36549 helo=[XX.XX.XX.XX]) by smtp.test.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80) (envelope-from <user1@test.com>) id 1YVAZ3-0004Ic-Pe for user2@test.com; Mon, 09 Mar 2015 20:10:38 -0700 Date: Mon, 09 Mar 2015 22:10:30 -0500 Subject: Test Message From: James `Iv0ryW0lf` Boyd <user1@test.com> To: user2@test.com MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64
Mail Client (Gmail version 5.0.1 (1642443)) Mail Server (Exim 4.80) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.22 Return-path: <user1@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 20:10:38 -0700 Received: from cpe-XX-XX-XX-XX.satx.res.rr.com ([XX.XX.XX.XX]:36549 helo=[XX.XX.XX.XX]) by smtp.test.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80) (envelope-from <user1@test.com>) id 1YVAZ3-0004Ic-Pe for user2@test.com; Mon, 09 Mar 2015 20:10:38 -0700 Date: Mon, 09 Mar 2015 22:10:30 -0500 Subject: Test Message From: James `Iv0ryW0lf` Boyd <user1@test.com> To: user2@test.com MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Is Something Missing?
Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.23 Return-path: <prvs=504468ce4=user4@test.com> Envelope-to: user1@test.com Delivery-date: Mon, 09 Mar 2015 20:02:11 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:60282 helo=smtp.test.com) by server.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=504468ce4=user4@test.com>) id 1YVAQt-0003Zg-7A for user1@test.com; Mon, 09 Mar 2015 20:02:11 -0700 X-IronPort-AV: E=Sophos;i="5.11,371,1422943200"; d="scan'208";a="3130663" Received: from server.test.biz (HELO smtp1.test.com) ([172.26.10.15]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 22:02:10 -0500 Received: from server.test.biz ([::1]) by server.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 22:02:10 -0500 From: James Boyd <user4@test.com> To: "user1@test.com" <user1@test.com> (Continued on next slide)
Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.24 Return-path: <prvs=504468ce4=user4@test.com> Envelope-to: user1@test.com Delivery-date: Mon, 09 Mar 2015 20:02:11 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:60282 helo=smtp.test.com) by server.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=504468ce4=user4@test.com>) id 1YVAQt-0003Zg-7A for user1@test.com; Mon, 09 Mar 2015 20:02:11 -0700 X-IronPort-AV: E=Sophos;i="5.11,371,1422943200"; d="scan'208";a="3130663" Received: from server.test.biz (HELO smtp1.test.com) ([172.26.10.15]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 22:02:10 -0500 Received: from server.test.biz ([::1]) by server.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 22:02:10 -0500 From: James Boyd <user4@test.com> To: "user1@test.com" <user1@test.com> (Continued on next slide)
Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.25 Subject: Test Message Thread-Topic: Test Message Thread-Index: AdBa3pkkGKXsFcpoT5O+Wn5hBWH5Ug== Date: Tue, 10 Mar 2015 03:02:09 +0000 Message-ID: <24691FB1F4BBC1303824DF2F0AE0B8A7@server.test.biz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="utf-8" Content-ID: <83B5A0DF6BC31F4FADA6DF2562C2B1DB@test.biz> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 X-Spam-Score: -17 X-Spam-Bar: - X-Spam-Flag: NO
Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.26 Subject: Test Message Thread-Topic: Test Message Thread-Index: AdBa3pkkGKXsFcpoT5O+Wn5hBWH5Ug== Date: Tue, 10 Mar 2015 03:02:09 +0000 Message-ID: <24691FB1F4BBC1303824DF2F0AE0B8A7@server.test.biz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="utf-8" Content-ID: <83B5A0DF6BC31F4FADA6DF2562C2B1DB@test.biz> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 X-Spam-Score: -17 X-Spam-Bar: - X-Spam-Flag: NO
Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (GMail) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.27 Return-path: <test@gmail.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 20:11:50 -0700 Received: from mail-oi0-f54.google.com ([209.85.218.54]:39544) by server.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <test@gmail.com>) id 1YVAaD-0004Na-NH for user2@test.com; Mon, 09 Mar 2015 20:11:50 -0700 Received: by oigi138 with SMTP id i138so33232364oig.6 for <user2@test.com>; Mon, 09 Mar 2015 20:11:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dKWTxk78twWIZ8v+fZ2Tnbc/noQKgx5iq9KCPakTkkU=; b=0pctzPh4gY9szcMXg796gt7E5865wfX1K35W8oY1zPgL6/jzuWdjd4kJ4WMtR (Continued on next slide)
Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (GMail) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.28 Return-path: <test@gmail.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 20:11:50 -0700 Received: from mail-oi0-f54.google.com ([209.85.218.54]:39544) by server.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <test@gmail.com>) id 1YVAaD-0004Na-NH for user2@test.com; Mon, 09 Mar 2015 20:11:50 -0700 Received: by oigi138 with SMTP id i138so33232364oig.6 for <user2@test.com>; Mon, 09 Mar 2015 20:11:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dKWTxk78twWIZ8v+fZ2Tnbc/noQKgx5iq9KCPakTkkU=; b=0pctzPh4gY9szcMXg796gt7E5865wfX1K35W8oY1zPgL6/jzuWdjd4kJ4WMtR (Continued on next slide)
Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (GMail) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.29 MIME-Version: 1.0 X-Received: by 10.60.103.116 with SMTP id fv20mr24693840oeb.2.1425957108489; Mon, 09 Mar 2015 20:11:48 -0700 (PDT) Received: by 10.76.124.68 with HTTP; Mon, 9 Mar 2015 20:11:48 -0700 (PDT) Received: by 10.76.124.68 with HTTP; Mon, 9 Mar 2015 20:11:48 -0700 (PDT) Date: Mon, 9 Mar 2015 22:11:48 -0500 Message-ID: <CALTWypa6+KYYQ9syd0mc2L=WRfm8ZFyJcncozU8- +hWK=C6rKw@mail.gmail.com> Subject: Test Message From: James Boyd <test@gmail.com> To: user2@test.com Content-Type: multipart/alternative; boundary=089e01160664eaa19c0510e68202 X-Spam-Status: No, score=-1.6 X-Spam-Score: -15 X-Spam-Bar: - X-Spam-Flag: NO
Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (GMail) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.30 MIME-Version: 1.0 X-Received: by 10.60.103.116 with SMTP id fv20mr24693840oeb.2.1425957108489; Mon, 09 Mar 2015 20:11:48 -0700 (PDT) Received: by 10.76.124.68 with HTTP; Mon, 9 Mar 2015 20:11:48 -0700 (PDT) Received: by 10.76.124.68 with HTTP; Mon, 9 Mar 2015 20:11:48 -0700 (PDT) Date: Mon, 9 Mar 2015 22:11:48 -0500 Message-ID: <CALTWypa6+KYYQ9syd0mc2L=WRfm8ZFyJcncozU8- +hWK=C6rKw@mail.gmail.com> Subject: Test Message From: James Boyd <test@gmail.com> To: user2@test.com Content-Type: multipart/alternative; boundary=089e01160664eaa19c0510e68202 X-Spam-Status: No, score=-1.6 X-Spam-Score: -15 X-Spam-Bar: - X-Spam-Flag: NO
Mail Client (Outlook 2013 v15.0.4693.1002) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.31 Return-path: <prvs=5039f90b3=user3@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 12:04:22 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:46689 helo=smtp.test.com) by smtp.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=5039f90b3=user3@test.com>) id 1YV2yT-0005C6-7K for user2@test.com; Mon, 09 Mar 2015 12:04:22 -0700 X-IronPort-AV: E=Sophos;i="5.11,369,1422943200"; d="png'150?scan'150,208,217,150";a="3126585" Received: from smtp.test.biz (HELO smtp2.test.com) ([XX.XX.XX.XX]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 14:04:19 -0500 Received: from smtp.test.biz ([::1]) by smtp.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 14:04:19 -0500 From: User 3 <user3@test.com> To: "user2@test.com" <user2@test.com> Subject: Test Message (Continued on next slide)
Mail Client (Outlook 2013 v15.0.4693.1002) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.32 Return-path: <prvs=5039f90b3=user3@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 12:04:22 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:46689 helo=smtp.test.com) by smtp.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=5039f90b3=user3@test.com>) id 1YV2yT-0005C6-7K for user2@test.com; Mon, 09 Mar 2015 12:04:22 -0700 X-IronPort-AV: E=Sophos;i="5.11,369,1422943200"; d="png'150?scan'150,208,217,150";a="3126585" Received: from smtp.test.biz (HELO smtp2.test.com) ([XX.XX.XX.XX]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 14:04:19 -0500 Received: from smtp.test.biz ([::1]) by smtp.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 14:04:19 -0500 From: User 3 <user3@test.com> To: "user2@test.com" <user2@test.com> Subject: Test Message (Continued on next slide)
Mail Client (Outlook 2013 v15.0.4693.1002) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.33 Thread-Topic: Test Message Thread-Index: AdBam5KRVOla9s5AR8qAXJaFPO3Xdg== Date: Mon, 9 Mar 2015 19:04:18 +0000 Message-ID: <5527EAB237A7384AADEEF88EAC1A399F15520CEE@smtp.test.biz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [XX.XX.XX.XX] Content-Type: multipart/related; boundary="_004_5527EAB237A7384AADEEF88EAC1A399F15520CEEXXXX01xxx_"; type="multipart/alternative" MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 X-Spam-Score: -18 X-Spam-Bar: - X-Spam-Flag: NO
Mail Client (Outlook 2013 v15.0.4693.1002) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.34 Thread-Topic: Test Message Thread-Index: AdBam5KRVOla9s5AR8qAXJaFPO3Xdg== Date: Mon, 9 Mar 2015 19:04:18 +0000 Message-ID: <5527EAB237A7384AADEEF88EAC1A399F15520CEE@smtp.test.biz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [XX.XX.XX.XX] Content-Type: multipart/related; boundary="_004_5527EAB237A7384AADEEF88EAC1A399F15520CEEXXXX01xxx_"; type="multipart/alternative" MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 X-Spam-Score: -18 X-Spam-Bar: - X-Spam-Flag: NO
Case Study: Interesting Artifacts Copyright © 2015. Lumenate Technologies, LP. All rights reserved.35
Artifact: Received Copyright © 2015. Lumenate Technologies, LP. All rights reserved.36 Received: from [190.107.180.194] (port=38287 helo=booking.yeah) by my.mailserver.com with esmtp (Exim 4.80) (envelope-from <clearsj@booking.yeah>) id 1YgFBp-000410-OG for me@mydomain.com; Thu, 09 Apr 2015 09:20:32 -0700 190.107.180.194 AS262235 Country: PE Registration Date: 2012-06-01 Registrar: lacnic Owner: NETLINE PERU SA,PE booking.yeah Non-authoritative answer: Name: booking.yeah Address: 5.57.16.220 Non-authoritative answer: 220.16.57.5.in-addr.arpa name = www.booking.yeah.
Artifact: Dates Copyright © 2015. Lumenate Technologies, LP. All rights reserved.37 Delivery-date: Thu, 09 Apr 2015 09:20:33 -0700 Received: from [190.107.180.194] (port=38287 helo=booking.yeah) by my.mailserver.com with esmtp (Exim 4.80) (envelope-from <clearsj@booking.yeah>) id 1YgFBp-000410-OG for me@mydomain.com; Thu, 09 Apr 2015 09:20:32 -0700 Date: Thu, 9 Apr 2015 12:20:25 -0400 GMT -0400 = EDT (GMT -0500 would be EST) GMT -0700 = PDT (GMT -0800 would be PST) Peru = GMT -0500 (Same time as EST, if we didn’t care about Daylight)
Artifact: Email Addresses Copyright © 2015. Lumenate Technologies, LP. All rights reserved.38 Return-path: <clearsj@booking.yeah> Envelope-to: me@mydomain.com Received: from [190.107.180.194] (port=38287 helo=booking.yeah) by my.mailserver.com with esmtp (Exim 4.80) (envelope-from <clearsj@booking.yeah>) id 1YgFBp-000410-OG for me@mydomain.com; Thu, 09 Apr 2015 09:20:32 -0700 From: “Phishinator" <clearsj@booking.yeah> To: me@mydomain.com NO! FaceRiddler, the email is not legitimate. Let me finish! Booking.yeah! Seems Legit!
Artifact: Some Others Copyright © 2015. Lumenate Technologies, LP. All rights reserved.39 Subject: Hola my photo Content-Type: multipart/mixed; boundary="----------E1062B15A4DA712" X-Spam-Status: No, score=2.1 X-Spam-Score: 21 X-Spam-Bar: ++ X-Spam-Flag: NO ------------E1062B15A4DA712 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit hola my new photo , send u photo ------------E1062B15A4DA712 Content-Type: application/zip; name="my_new_photo372647863278462387.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="my_new_photo372647863278462387.zip"
Imagine the Possibilities Copyright © 2015. Lumenate Technologies, LP. All rights reserved.40
Imagine the Possibilities Copyright © 2015. Lumenate Technologies, LP. All rights reserved.41 - Fingerprinting email clients/servers - Map email relays - Discover email client/server options - Determine the hostname of the origin of the email - Add data to intelligence framework - What else can an adversary/cracker/media hacker/script kiddie do?
Hacker FunTime, Yeah! Copyright © 2015. Lumenate Technologies, LP. All rights reserved.42
World of E-Craft Copyright © 2015. Lumenate Technologies, LP. All rights reserved.43 - My Setup (VirtualBox, Linux Mint, Sendmail, Python) - Message Header (To, From, Subject, MIME-Version, Content-Type) - Message Body (Whatever I want!!! And attachments!) Python Snippet smtp = smtplib.SMTP('127.0.0.1',25) #Sendmail running first smtp.sendmail(from_msg, to_msg.split(','), email_full) smtp.close() - IP & Port can be set to external email relays - from_msg & to_msg is for the SMTP server - email_full contains all headers & body - See above…Whatever I want!!!
World of E-Craft: Why? Copyright © 2015. Lumenate Technologies, LP. All rights reserved.44 - Generate phishing emails (hopefully based on real emails) - Email Client/Server Fuzzing/Exploit (testing the limits) - Change your own SPAM rating (Yep…all good!) - Hide Data? Yes!!! Python Snippet (Section of email_full) X-NINJA: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAA… AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAA4fug4AtAnNIbgBT0h… VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0A… AAAAAAABdFx3bGXZziBl2c4gZdnOIGXZziAp2c4jlVmGIGHZziFJY2Zd… - X-NINJA is a made up header field - X-NINJA data is tini.exe (3k Windows backdoor) - What else could you do? Data exfiltration maybe? - 418 lines/78 char base64 in my config, 23k or so - Documentation states NO LIMITS!!!
Interesting Artifacts: Black Hat Edition, Literally Copyright © 2015. Lumenate Technologies, LP. All rights reserved.45
Interesting Artifacts Copyright © 2015. Lumenate Technologies, LP. All rights reserved.46 - SPAM headers (Spam Assassin, IronPort, etc) - Test your well-crafted emails - AntiVirus headers (Sophos, Trend Micro, McAfee) - Bypass outdated AV engines - Virus Total test - Received headers (Servers as Relays? Yes, please!) - Scrape potential usernames, server IP/hostname - Potential exploit of mail server based on version - X-Mailer headers (Web client, Outlook, etc) - Find weakness in clients…ATTACK! - User-Agent headers (See X-Mailer) - Still ATTACKING! - And much, much, more!
Thank You Copyright © 2015. Lumenate Technologies, LP. All rights reserved.47 Email Samples - HD Moore - SAHA!/AHA! - Jeff Schrunk Support - BSidesTexas - SAHA!/AHA! - iSec Partners – Austin - Lumenate - Brenda Boyd
Closing Time Copyright © 2015. Lumenate Technologies, LP. All rights reserved.48 eMail.1: James.Boyd@lumenate.com eMail.2: iv0ryw0lf@satxhackers.org Twitter: @Iv0ryW0lf G-Stuff: iv0ryw0lf.01001001@gmail.com Any Questions?
Thank you. Copyright © 2015. Lumenate Technologies, LP. All rights reserved.49

Recommended

BlackMailed - Lite
BlackMailed - LiteBlackMailed - Lite
BlackMailed - Lite
James Boyd
 
Comparison of mqtt and coap protocol
Comparison of mqtt and coap protocolComparison of mqtt and coap protocol
Comparison of mqtt and coap protocol
YUSUF HUMAYUN
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questions
rajasekar1712
 
Surviving The Stump The Chump Interview Questions
Surviving The Stump The Chump Interview QuestionsSurviving The Stump The Chump Interview Questions
Surviving The Stump The Chump Interview Questions
Duane Bodle
 
Computer network (10)
Computer network (10)Computer network (10)
Computer network (10)
NYversity
 
HTTP
HTTPHTTP
HTTP
Daniel Kummer
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routing
Olivier Bonaventure
 
Network programming in Java
Network programming in JavaNetwork programming in Java
Network programming in Java
Tushar B Kute
 

Recommended

BlackMailed - Lite
BlackMailed - LiteBlackMailed - Lite
BlackMailed - Lite
James Boyd
 
Comparison of mqtt and coap protocol
Comparison of mqtt and coap protocolComparison of mqtt and coap protocol
Comparison of mqtt and coap protocol
YUSUF HUMAYUN
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questions
rajasekar1712
 
Surviving The Stump The Chump Interview Questions
Surviving The Stump The Chump Interview QuestionsSurviving The Stump The Chump Interview Questions
Surviving The Stump The Chump Interview Questions
Duane Bodle
 
Computer network (10)
Computer network (10)Computer network (10)
Computer network (10)
NYversity
 
HTTP
HTTPHTTP
HTTP
Daniel Kummer
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routing
Olivier Bonaventure
 
Network programming in Java
Network programming in JavaNetwork programming in Java
Network programming in Java
Tushar B Kute
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
Shuya Osaki
 
CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015 CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015
CoLaboraDK
 
Simple mail transfer protocol
Simple mail transfer protocolSimple mail transfer protocol
Simple mail transfer protocol
Anagha Ghotkar
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Jakub Botwicz
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Julien Vermillard
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisited
marctritschler
 
Voip (rtp) server requirements
Voip (rtp) server requirementsVoip (rtp) server requirements
Voip (rtp) server requirements
trilithicweb
 
Scalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPScalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IP
Dai Yang
 
CV
CVCV
CVDmitriy Kupch
 
IOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to CodeIOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to Code
Andy Robinson
 
OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...
OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...
OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...
Masaaki Nakagawa
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
Paul Fremantle
 
28 networking
28 networking28 networking
28 networkingRavindra Rathore
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacks
JaeYeoul Ahn
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALGlenn Haley
 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Benjamin Cabé
 
Presentation 3
Presentation 3Presentation 3
Presentation 3Krishna Chanduri
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programmingelliando dias
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
Olivier Bonaventure
 
LAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted Protocol
Linaro
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 

More Related Content

Similar to BlackMailed - BSides SATX 2015

Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
Shuya Osaki
 
CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015 CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015
CoLaboraDK
 
Simple mail transfer protocol
Simple mail transfer protocolSimple mail transfer protocol
Simple mail transfer protocol
Anagha Ghotkar
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Jakub Botwicz
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Julien Vermillard
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisited
marctritschler
 
Voip (rtp) server requirements
Voip (rtp) server requirementsVoip (rtp) server requirements
Voip (rtp) server requirements
trilithicweb
 
Scalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPScalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IP
Dai Yang
 
IOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to CodeIOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to Code
Andy Robinson
 
OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...
OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...
OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...
Masaaki Nakagawa
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
Paul Fremantle
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacks
JaeYeoul Ahn
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALGlenn Haley
 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Benjamin Cabé
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programmingelliando dias
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
Olivier Bonaventure
 
LAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted Protocol
Linaro
 

Similar to BlackMailed - BSides SATX 2015 (20)

Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015 CoLabora - Exchange Online Protection - June 2015
CoLabora - Exchange Online Protection - June 2015
 
Simple mail transfer protocol
Simple mail transfer protocolSimple mail transfer protocol
Simple mail transfer protocol
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisited
 
Voip (rtp) server requirements
Voip (rtp) server requirementsVoip (rtp) server requirements
Voip (rtp) server requirements
 
Scalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPScalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IP
 
CV
CVCV
CV
 
IOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to CodeIOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to Code
 
OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...
OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...
OpenStack Summit Tokyo - Know-how of Challlenging Deploy/Operation NTT DOCOMO...
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 
28 networking
28 networking28 networking
28 networking
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacks
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINAL
 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetup
 
Presentation 3
Presentation 3Presentation 3
Presentation 3
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programming
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
 
LAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted Protocol
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 

BlackMailed - BSides SATX 2015

  • 1. BlackMailed The art of email intelligence gathering, hackery, and the idiocracy of it all. May 2, 2015 Copyright © 2015. Lumenate Technologies, LP. All rights reserved.
  • 2. About Me Copyright © 2015. Lumenate Technologies, LP. All rights reserved.2 • Retired USAF Master Sergeant • IT Security, 23 years • Network Traffic Analysis • Digital Forensics/Malware Analysis • Hacking/Pentesting • Certified C|EH & Security+ • SAHA!/AHA! • Hacking since ‘86! (C-64 & Amiga) • Karaoke Junkie!
  • 3. Agenda Copyright © 2015. Lumenate Technologies, LP. All rights reserved.3 • Dark Internet Mail Environment (DIME) • RFC5322 – Internet Message Format • Internet Message Header • Message Header Generators (Client vs Server) • Case Study: Interesting Artifacts • Imagine the Possibilities • Hacker FunTime, Yeah! • Closing Time
  • 4. Dark Internet Mail Environment (DIME) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.4 Don’t be afraid of the Dark!
  • 5. Dark Internet Mail Environment (DIME) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.5 • 4 Fathers (Git IT? Like forefathers?) • Ladar Levison (Lavabit) • Phil Zimmerman (PGP) • Jon Callas (PGP, co-founder of Silent Circle) • Mike Janke (co-founder of Silent Circle) • DIME • New protocol & replacement for IMAP, called DMAP • Thunderbird spin-off called Volcano Mail to support DIME • End to End encryption • 2 Pennies • Don’t think it will be quickly implemented everywhere if at all • DNSSEC, think about the speed of deployment & adoption
  • 6. RFC5322 - Internet Message Format Copyright © 2015. Lumenate Technologies, LP. All rights reserved.6 RFC is more what you'd call guidelines than actual rules.
  • 7. RFC5322 - Internet Message Format Copyright © 2015. Lumenate Technologies, LP. All rights reserved.7 • Message divided into lines of characters • Line terminated by CR &LF (ASCII 13 & 10) • Limitations no more than 998 characters per line • Recommended 78 characters, not including CR/LF • Message Header – field name, colon, field body • e.g. Delivery-date: Fri, 08 Feb 2013 19:15:03 -0800 • Message Body – the data after the Message Header • Separated by the first CR/LF/CR/LF • If MIME identified, Multipart will contain a Content-Type with a boundary string
  • 8. RFC5322: Example Message Copyright © 2015. Lumenate Technologies, LP. All rights reserved.8
  • 9. RFC5322: Example Message Copyright © 2015. Lumenate Technologies, LP. All rights reserved.9
  • 10. RFC5322: Example Message Copyright © 2015. Lumenate Technologies, LP. All rights reserved.10
  • 11. Internet Message Headers Copyright © 2015. Lumenate Technologies, LP. All rights reserved.11
  • 12. Internet Message Headers Copyright © 2015. Lumenate Technologies, LP. All rights reserved.12 • MAIL FROM (SMTP command) • RCPT TO (SMTP command) • DATA (SMTP command) • Envelope-to (recipient message delivered to) • Delivery-date (date/time message delivered to email service/client) • Received (list of message server hops needed to reach the mailbox) • From (displays who the message is from) • To (displays who the message is to) • Subject (displays the subject of the email) • Content-Type (format of the message) • Message-Id (unique string assigned when message is first created) • Date (date when the email was composed) • X-Mailer (Mail client used) • Content-ID (Reference embedded data within HTML) • User-Agent (Like a browser)
  • 13. Message Header Generators Copyright © 2015. Lumenate Technologies, LP. All rights reserved.13
  • 14. What Generates the Message Headers? Copyright © 2015. Lumenate Technologies, LP. All rights reserved.14 Good question, “Face Riddler”! • Clients • Thunderbird • Outlook • Web Mail • Servers • Postfix • Sendmail • Exchange • Relays • Same as servers, with autoforward • Security Tools • Ironport • Baracuda • Proofpoint
  • 15. Mail Client (Android email 4.2.2.0400) Mail Server (Exim 4.80) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.15 Return-path: <user1@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 15:22:46 -0700 Received: from mobile-XX-XX-XX-XX.mycingular.net ([XX.XX.XX.XX]:30287 helo=[XX.XX.XX.XX]) by smtp.test.com with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.80) (envelope-from <user1@test.com>) id 1YV64T-0005E1-CB for user2@test.com; Mon, 09 Mar 2015 15:22:45 -0700 Date: Mon, 09 Mar 2015 17:22:39 -0500 Subject: Test Message Message-ID: <a8cty6gci5w8ps6qa8ey2trx.1425939758643@email.android.com> Importance: normal From: "James B." <user1@test.com> To: Iv0ryW0lf <user2@test.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-- _com.android.email_1810186420646610“
  • 16. Mail Client (Android email 4.2.2.0400) Mail Server (Exim 4.80) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.16 Return-path: <user1@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 15:22:46 -0700 Received: from mobile-XX-XX-XX-XX.mycingular.net ([XX.XX.XX.XX]:30287 helo=[XX.XX.XX.XX]) by smtp.test.com with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.80) (envelope-from <user1@test.com>) id 1YV64T-0005E1-CB for user2@test.com; Mon, 09 Mar 2015 15:22:45 -0700 Date: Mon, 09 Mar 2015 17:22:39 -0500 Subject: Test Message Message-ID: <a8cty6gci5w8ps6qa8ey2trx.1425939758643@email.android.com> Importance: normal From: "James B." <user1@test.com> To: Iv0ryW0lf <user2@test.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-- _com.android.email_1810186420646610“
  • 17. Mail Client (Android email 4.2.2.0400) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.17 Return-path: <prvs=503ac6043=user4@test.com> Envelope-to: user@test.org Delivery-date: Mon, 09 Mar 2015 15:20:28 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:31360 helo=smtp.test.com) by smtp2.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=503ac6043=user4@test.com>) id 1YV62G-0004wv-3R for user@test.org; Mon, 09 Mar 2015 15:20:28 -0700 X-IronPort-AV: E=Sophos;i="5.11,370,1422943200"; d="scan'208,217";a="3129279" Received: from server.test.biz (HELO server.test.com) ([172.26.10.15]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 17:20:27 -0500 Received: from server.test.biz ([::1]) by server.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 17:20:27 -0500 From: James Boyd <user4@test.com> To: Iv0ryW0lf <user@test.org> Subject: Test Message (Continued on next slide)
  • 18. Mail Client (Android email 4.2.2.0400) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.18 Return-path: <prvs=503ac6043=user4@test.com> Envelope-to: user@test.org Delivery-date: Mon, 09 Mar 2015 15:20:28 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:31360 helo=smtp.test.com) by smtp2.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=503ac6043=user4@test.com>) id 1YV62G-0004wv-3R for user@test.org; Mon, 09 Mar 2015 15:20:28 -0700 X-IronPort-AV: E=Sophos;i="5.11,370,1422943200"; d="scan'208,217";a="3129279" Received: from server.test.biz (HELO server.test.com) ([172.26.10.15]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 17:20:27 -0500 Received: from server.test.biz ([::1]) by server.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 17:20:27 -0500 From: James Boyd <user4@test.com> To: Iv0ryW0lf <user@test.org> Subject: Test Message (Continued on next slide)
  • 19. Mail Client (Android email 4.2.2.0400) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.19 Thread-Topic: Test Message Thread-Index: AdBatz48+W1T4OygRUGexKrXonooBg== Date: Mon, 9 Mar 2015 22:20:26 +0000 Message-ID: <jmbkj4i5a0x8wc1ckc3sr2s2.1425939380752@email.android.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: multipart/alternative; boundary="_000_jmbkj4i5a0x8wc1ckc3sr2s21425939380752emailandroidcom_" MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 X-Spam-Score: -17 X-Spam-Bar: - X-Spam-Flag: NO
  • 20. Mail Client (Android email 4.2.2.0400) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.20 Thread-Topic: Test Message Thread-Index: AdBatz48+W1T4OygRUGexKrXonooBg== Date: Mon, 9 Mar 2015 22:20:26 +0000 Message-ID: <jmbkj4i5a0x8wc1ckc3sr2s2.1425939380752@email.android.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: multipart/alternative; boundary="_000_jmbkj4i5a0x8wc1ckc3sr2s21425939380752emailandroidcom_" MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 X-Spam-Score: -17 X-Spam-Bar: - X-Spam-Flag: NO
  • 21. Mail Client (Gmail version 5.0.1 (1642443)) Mail Server (Exim 4.80) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.21 Return-path: <user1@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 20:10:38 -0700 Received: from cpe-XX-XX-XX-XX.satx.res.rr.com ([XX.XX.XX.XX]:36549 helo=[XX.XX.XX.XX]) by smtp.test.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80) (envelope-from <user1@test.com>) id 1YVAZ3-0004Ic-Pe for user2@test.com; Mon, 09 Mar 2015 20:10:38 -0700 Date: Mon, 09 Mar 2015 22:10:30 -0500 Subject: Test Message From: James `Iv0ryW0lf` Boyd <user1@test.com> To: user2@test.com MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64
  • 22. Mail Client (Gmail version 5.0.1 (1642443)) Mail Server (Exim 4.80) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.22 Return-path: <user1@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 20:10:38 -0700 Received: from cpe-XX-XX-XX-XX.satx.res.rr.com ([XX.XX.XX.XX]:36549 helo=[XX.XX.XX.XX]) by smtp.test.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80) (envelope-from <user1@test.com>) id 1YVAZ3-0004Ic-Pe for user2@test.com; Mon, 09 Mar 2015 20:10:38 -0700 Date: Mon, 09 Mar 2015 22:10:30 -0500 Subject: Test Message From: James `Iv0ryW0lf` Boyd <user1@test.com> To: user2@test.com MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Is Something Missing?
  • 23. Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.23 Return-path: <prvs=504468ce4=user4@test.com> Envelope-to: user1@test.com Delivery-date: Mon, 09 Mar 2015 20:02:11 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:60282 helo=smtp.test.com) by server.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=504468ce4=user4@test.com>) id 1YVAQt-0003Zg-7A for user1@test.com; Mon, 09 Mar 2015 20:02:11 -0700 X-IronPort-AV: E=Sophos;i="5.11,371,1422943200"; d="scan'208";a="3130663" Received: from server.test.biz (HELO smtp1.test.com) ([172.26.10.15]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 22:02:10 -0500 Received: from server.test.biz ([::1]) by server.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 22:02:10 -0500 From: James Boyd <user4@test.com> To: "user1@test.com" <user1@test.com> (Continued on next slide)
  • 24. Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.24 Return-path: <prvs=504468ce4=user4@test.com> Envelope-to: user1@test.com Delivery-date: Mon, 09 Mar 2015 20:02:11 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:60282 helo=smtp.test.com) by server.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=504468ce4=user4@test.com>) id 1YVAQt-0003Zg-7A for user1@test.com; Mon, 09 Mar 2015 20:02:11 -0700 X-IronPort-AV: E=Sophos;i="5.11,371,1422943200"; d="scan'208";a="3130663" Received: from server.test.biz (HELO smtp1.test.com) ([172.26.10.15]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 22:02:10 -0500 Received: from server.test.biz ([::1]) by server.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 22:02:10 -0500 From: James Boyd <user4@test.com> To: "user1@test.com" <user1@test.com> (Continued on next slide)
  • 25. Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.25 Subject: Test Message Thread-Topic: Test Message Thread-Index: AdBa3pkkGKXsFcpoT5O+Wn5hBWH5Ug== Date: Tue, 10 Mar 2015 03:02:09 +0000 Message-ID: <24691FB1F4BBC1303824DF2F0AE0B8A7@server.test.biz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="utf-8" Content-ID: <83B5A0DF6BC31F4FADA6DF2562C2B1DB@test.biz> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 X-Spam-Score: -17 X-Spam-Bar: - X-Spam-Flag: NO
  • 26. Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.26 Subject: Test Message Thread-Topic: Test Message Thread-Index: AdBa3pkkGKXsFcpoT5O+Wn5hBWH5Ug== Date: Tue, 10 Mar 2015 03:02:09 +0000 Message-ID: <24691FB1F4BBC1303824DF2F0AE0B8A7@server.test.biz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="utf-8" Content-ID: <83B5A0DF6BC31F4FADA6DF2562C2B1DB@test.biz> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 X-Spam-Score: -17 X-Spam-Bar: - X-Spam-Flag: NO
  • 27. Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (GMail) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.27 Return-path: <test@gmail.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 20:11:50 -0700 Received: from mail-oi0-f54.google.com ([209.85.218.54]:39544) by server.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <test@gmail.com>) id 1YVAaD-0004Na-NH for user2@test.com; Mon, 09 Mar 2015 20:11:50 -0700 Received: by oigi138 with SMTP id i138so33232364oig.6 for <user2@test.com>; Mon, 09 Mar 2015 20:11:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dKWTxk78twWIZ8v+fZ2Tnbc/noQKgx5iq9KCPakTkkU=; b=0pctzPh4gY9szcMXg796gt7E5865wfX1K35W8oY1zPgL6/jzuWdjd4kJ4WMtR (Continued on next slide)
  • 28. Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (GMail) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.28 Return-path: <test@gmail.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 20:11:50 -0700 Received: from mail-oi0-f54.google.com ([209.85.218.54]:39544) by server.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <test@gmail.com>) id 1YVAaD-0004Na-NH for user2@test.com; Mon, 09 Mar 2015 20:11:50 -0700 Received: by oigi138 with SMTP id i138so33232364oig.6 for <user2@test.com>; Mon, 09 Mar 2015 20:11:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dKWTxk78twWIZ8v+fZ2Tnbc/noQKgx5iq9KCPakTkkU=; b=0pctzPh4gY9szcMXg796gt7E5865wfX1K35W8oY1zPgL6/jzuWdjd4kJ4WMtR (Continued on next slide)
  • 29. Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (GMail) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.29 MIME-Version: 1.0 X-Received: by 10.60.103.116 with SMTP id fv20mr24693840oeb.2.1425957108489; Mon, 09 Mar 2015 20:11:48 -0700 (PDT) Received: by 10.76.124.68 with HTTP; Mon, 9 Mar 2015 20:11:48 -0700 (PDT) Received: by 10.76.124.68 with HTTP; Mon, 9 Mar 2015 20:11:48 -0700 (PDT) Date: Mon, 9 Mar 2015 22:11:48 -0500 Message-ID: <CALTWypa6+KYYQ9syd0mc2L=WRfm8ZFyJcncozU8- +hWK=C6rKw@mail.gmail.com> Subject: Test Message From: James Boyd <test@gmail.com> To: user2@test.com Content-Type: multipart/alternative; boundary=089e01160664eaa19c0510e68202 X-Spam-Status: No, score=-1.6 X-Spam-Score: -15 X-Spam-Bar: - X-Spam-Flag: NO
  • 30. Mail Client (Gmail Version 5.0.1 (1642443)) Mail Server (GMail) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.30 MIME-Version: 1.0 X-Received: by 10.60.103.116 with SMTP id fv20mr24693840oeb.2.1425957108489; Mon, 09 Mar 2015 20:11:48 -0700 (PDT) Received: by 10.76.124.68 with HTTP; Mon, 9 Mar 2015 20:11:48 -0700 (PDT) Received: by 10.76.124.68 with HTTP; Mon, 9 Mar 2015 20:11:48 -0700 (PDT) Date: Mon, 9 Mar 2015 22:11:48 -0500 Message-ID: <CALTWypa6+KYYQ9syd0mc2L=WRfm8ZFyJcncozU8- +hWK=C6rKw@mail.gmail.com> Subject: Test Message From: James Boyd <test@gmail.com> To: user2@test.com Content-Type: multipart/alternative; boundary=089e01160664eaa19c0510e68202 X-Spam-Status: No, score=-1.6 X-Spam-Score: -15 X-Spam-Bar: - X-Spam-Flag: NO
  • 31. Mail Client (Outlook 2013 v15.0.4693.1002) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.31 Return-path: <prvs=5039f90b3=user3@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 12:04:22 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:46689 helo=smtp.test.com) by smtp.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=5039f90b3=user3@test.com>) id 1YV2yT-0005C6-7K for user2@test.com; Mon, 09 Mar 2015 12:04:22 -0700 X-IronPort-AV: E=Sophos;i="5.11,369,1422943200"; d="png'150?scan'150,208,217,150";a="3126585" Received: from smtp.test.biz (HELO smtp2.test.com) ([XX.XX.XX.XX]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 14:04:19 -0500 Received: from smtp.test.biz ([::1]) by smtp.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 14:04:19 -0500 From: User 3 <user3@test.com> To: "user2@test.com" <user2@test.com> Subject: Test Message (Continued on next slide)
  • 32. Mail Client (Outlook 2013 v15.0.4693.1002) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.32 Return-path: <prvs=5039f90b3=user3@test.com> Envelope-to: user2@test.com Delivery-date: Mon, 09 Mar 2015 12:04:22 -0700 Received: from gateway.test.com ([XX.XX.XX.XX]:46689 helo=smtp.test.com) by smtp.test.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <prvs=5039f90b3=user3@test.com>) id 1YV2yT-0005C6-7K for user2@test.com; Mon, 09 Mar 2015 12:04:22 -0700 X-IronPort-AV: E=Sophos;i="5.11,369,1422943200"; d="png'150?scan'150,208,217,150";a="3126585" Received: from smtp.test.biz (HELO smtp2.test.com) ([XX.XX.XX.XX]) by smtp.test.com with ESMTP/TLS/AES128-SHA; 09 Mar 2015 14:04:19 -0500 Received: from smtp.test.biz ([::1]) by smtp.test.biz ([::1]) with mapi id 14.03.0210.002; Mon, 9 Mar 2015 14:04:19 -0500 From: User 3 <user3@test.com> To: "user2@test.com" <user2@test.com> Subject: Test Message (Continued on next slide)
  • 33. Mail Client (Outlook 2013 v15.0.4693.1002) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.33 Thread-Topic: Test Message Thread-Index: AdBam5KRVOla9s5AR8qAXJaFPO3Xdg== Date: Mon, 9 Mar 2015 19:04:18 +0000 Message-ID: <5527EAB237A7384AADEEF88EAC1A399F15520CEE@smtp.test.biz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [XX.XX.XX.XX] Content-Type: multipart/related; boundary="_004_5527EAB237A7384AADEEF88EAC1A399F15520CEEXXXX01xxx_"; type="multipart/alternative" MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 X-Spam-Score: -18 X-Spam-Bar: - X-Spam-Flag: NO
  • 34. Mail Client (Outlook 2013 v15.0.4693.1002) Mail Server (Exchange Server & Ironport) Copyright © 2015. Lumenate Technologies, LP. All rights reserved.34 Thread-Topic: Test Message Thread-Index: AdBam5KRVOla9s5AR8qAXJaFPO3Xdg== Date: Mon, 9 Mar 2015 19:04:18 +0000 Message-ID: <5527EAB237A7384AADEEF88EAC1A399F15520CEE@smtp.test.biz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [XX.XX.XX.XX] Content-Type: multipart/related; boundary="_004_5527EAB237A7384AADEEF88EAC1A399F15520CEEXXXX01xxx_"; type="multipart/alternative" MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 X-Spam-Score: -18 X-Spam-Bar: - X-Spam-Flag: NO
  • 35. Case Study: Interesting Artifacts Copyright © 2015. Lumenate Technologies, LP. All rights reserved.35
  • 36. Artifact: Received Copyright © 2015. Lumenate Technologies, LP. All rights reserved.36 Received: from [190.107.180.194] (port=38287 helo=booking.yeah) by my.mailserver.com with esmtp (Exim 4.80) (envelope-from <clearsj@booking.yeah>) id 1YgFBp-000410-OG for me@mydomain.com; Thu, 09 Apr 2015 09:20:32 -0700 190.107.180.194 AS262235 Country: PE Registration Date: 2012-06-01 Registrar: lacnic Owner: NETLINE PERU SA,PE booking.yeah Non-authoritative answer: Name: booking.yeah Address: 5.57.16.220 Non-authoritative answer: 220.16.57.5.in-addr.arpa name = www.booking.yeah.
  • 37. Artifact: Dates Copyright © 2015. Lumenate Technologies, LP. All rights reserved.37 Delivery-date: Thu, 09 Apr 2015 09:20:33 -0700 Received: from [190.107.180.194] (port=38287 helo=booking.yeah) by my.mailserver.com with esmtp (Exim 4.80) (envelope-from <clearsj@booking.yeah>) id 1YgFBp-000410-OG for me@mydomain.com; Thu, 09 Apr 2015 09:20:32 -0700 Date: Thu, 9 Apr 2015 12:20:25 -0400 GMT -0400 = EDT (GMT -0500 would be EST) GMT -0700 = PDT (GMT -0800 would be PST) Peru = GMT -0500 (Same time as EST, if we didn’t care about Daylight)
  • 38. Artifact: Email Addresses Copyright © 2015. Lumenate Technologies, LP. All rights reserved.38 Return-path: <clearsj@booking.yeah> Envelope-to: me@mydomain.com Received: from [190.107.180.194] (port=38287 helo=booking.yeah) by my.mailserver.com with esmtp (Exim 4.80) (envelope-from <clearsj@booking.yeah>) id 1YgFBp-000410-OG for me@mydomain.com; Thu, 09 Apr 2015 09:20:32 -0700 From: “Phishinator" <clearsj@booking.yeah> To: me@mydomain.com NO! FaceRiddler, the email is not legitimate. Let me finish! Booking.yeah! Seems Legit!
  • 39. Artifact: Some Others Copyright © 2015. Lumenate Technologies, LP. All rights reserved.39 Subject: Hola my photo Content-Type: multipart/mixed; boundary="----------E1062B15A4DA712" X-Spam-Status: No, score=2.1 X-Spam-Score: 21 X-Spam-Bar: ++ X-Spam-Flag: NO ------------E1062B15A4DA712 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit hola my new photo , send u photo ------------E1062B15A4DA712 Content-Type: application/zip; name="my_new_photo372647863278462387.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="my_new_photo372647863278462387.zip"
  • 40. Imagine the Possibilities Copyright © 2015. Lumenate Technologies, LP. All rights reserved.40
  • 41. Imagine the Possibilities Copyright © 2015. Lumenate Technologies, LP. All rights reserved.41 - Fingerprinting email clients/servers - Map email relays - Discover email client/server options - Determine the hostname of the origin of the email - Add data to intelligence framework - What else can an adversary/cracker/media hacker/script kiddie do?
  • 42. Hacker FunTime, Yeah! Copyright © 2015. Lumenate Technologies, LP. All rights reserved.42
  • 43. World of E-Craft Copyright © 2015. Lumenate Technologies, LP. All rights reserved.43 - My Setup (VirtualBox, Linux Mint, Sendmail, Python) - Message Header (To, From, Subject, MIME-Version, Content-Type) - Message Body (Whatever I want!!! And attachments!) Python Snippet smtp = smtplib.SMTP('127.0.0.1',25) #Sendmail running first smtp.sendmail(from_msg, to_msg.split(','), email_full) smtp.close() - IP & Port can be set to external email relays - from_msg & to_msg is for the SMTP server - email_full contains all headers & body - See above…Whatever I want!!!
  • 44. World of E-Craft: Why? Copyright © 2015. Lumenate Technologies, LP. All rights reserved.44 - Generate phishing emails (hopefully based on real emails) - Email Client/Server Fuzzing/Exploit (testing the limits) - Change your own SPAM rating (Yep…all good!) - Hide Data? Yes!!! Python Snippet (Section of email_full) X-NINJA: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAA… AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAA4fug4AtAnNIbgBT0h… VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0A… AAAAAAABdFx3bGXZziBl2c4gZdnOIGXZziAp2c4jlVmGIGHZziFJY2Zd… - X-NINJA is a made up header field - X-NINJA data is tini.exe (3k Windows backdoor) - What else could you do? Data exfiltration maybe? - 418 lines/78 char base64 in my config, 23k or so - Documentation states NO LIMITS!!!
  • 45. Interesting Artifacts: Black Hat Edition, Literally Copyright © 2015. Lumenate Technologies, LP. All rights reserved.45
  • 46. Interesting Artifacts Copyright © 2015. Lumenate Technologies, LP. All rights reserved.46 - SPAM headers (Spam Assassin, IronPort, etc) - Test your well-crafted emails - AntiVirus headers (Sophos, Trend Micro, McAfee) - Bypass outdated AV engines - Virus Total test - Received headers (Servers as Relays? Yes, please!) - Scrape potential usernames, server IP/hostname - Potential exploit of mail server based on version - X-Mailer headers (Web client, Outlook, etc) - Find weakness in clients…ATTACK! - User-Agent headers (See X-Mailer) - Still ATTACKING! - And much, much, more!
  • 47. Thank You Copyright © 2015. Lumenate Technologies, LP. All rights reserved.47 Email Samples - HD Moore - SAHA!/AHA! - Jeff Schrunk Support - BSidesTexas - SAHA!/AHA! - iSec Partners – Austin - Lumenate - Brenda Boyd
  • 48. Closing Time Copyright © 2015. Lumenate Technologies, LP. All rights reserved.48 eMail.1: James.Boyd@lumenate.com eMail.2: iv0ryw0lf@satxhackers.org Twitter: @Iv0ryW0lf G-Stuff: iv0ryw0lf.01001001@gmail.com Any Questions?
  • 49. Thank you. Copyright © 2015. Lumenate Technologies, LP. All rights reserved.49