Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
| 2#2
In the current article, we will demonstrate how to simulate Spoof E-mail attack, that will bypass
existing SPF sender verification implementation.
The current article series include two articles.
The former article is How can hostile element execute Spoof E-mail attack and bypass existing
SPF implementation? | introduction | 1#2
Disclaimer
For the avoidance of any doubt, the purpose of this demonstration should not be applied, in
any form or manner whatsoever for exploiting and attack organizations.
The only purpose of this article is to provide you a way that could be used, for verifying the
mail security settings of your existing mail infrastructure, so you will be able to be aware of
existing vulnerability in your mail infrastructure and find the required solutions for mitigating
and blocking the holes that can and probably will be exploited by a variety of hostile elements.
Page 2 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
How To Simulate Spoof E-Mail Attack And Bypass SPF Sender Verification |
Step By Step
In the following screenshot, we can see an example for the SPF (a TXT record) that was created
for the dummy domain name thankyouforsharing.org
The IP address that appears is the mail server IP address that is used by the hostile element for
sending the Spoof E-mail to the destination recipient.
Page 3 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
The recipient whom the hostile element seeks to attack is Bob, the company CEO that
uses the
E-mail address bob@o365pilot.com
The fake identity that the hostile element will use is the identity of Suzan the company
CFO that uses the E-mail address suzan@o365pilot.com
The hostile element knows that the mail infrastructure of o365pilot.com implements an
SPF sender verification check for each incoming mail.
To be able to bypass the SPF sender verification check, the hostile element uses a
dummy domain name named thankyouforsharing.org
The hostile element will use an E-mail message that includes two senders E-mail
address:
o evil@thankyouforsharing.org
o suzan@o365pilot.com
Page 4 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
Using an SMTP Telnet session for executing the Spoof E -mail attack
In the following section, we will review how to run a simulation of Spoof E-mail attack in which
we use an SMTP telnet session for executing the attack.
The telnet client that we use
Technically, we can use the built-in windows telnet client, but this telnet client is a little limited
and not so convent.
Personally, I would like to work with a dedicated telnet application. There are a variety of free
telnet clients. In our specific scenario, I use a very nice telnet client named conemu
The two parts of the SMTP telnet session
Its important to me to emphasize the two parts of the SMTP telnet session:
The first part (A), is the part in which we sue the SMTP commands that are related to
the Mail envelope part.
The first part (B), is the part in which we sue the SMTP commands that are related to
the Mail header
The set of two identities that we use in the SMTP telnet session
To be able to bypass the SPF sender check, we will use a set of two identities:
In the following screenshot, we can see the complete SMTP telnet session that simulates the
Spoof E-mail attack:
Page 5 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
The purpose of the first part is to occupy the destination mail server with nonuseful information that will help us to present ourselves as a legitimate organization.
The purpose of the second part is to send the Spoof E-mail that includes the
information about the spoofed sender.
In the following section we will provide, a step by step description of the SMTP telnet
commands that we use:
0. Addressing the destination mail server
Page 6 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
Using SMTP telnet session for communicating the destination mail server
To be able to address the destination mail server meaning, the mail server that represents the
domain which we want to attack (In our example, the mail server that represents the
domaino365pilot.com), we need to know the hostname or the IP address of the destination mail
server (the hostname that appears in the MX record for the specific domain name).
The telnet commands that we use for starting an SMTP session with another mail server is:
Telnet <Mail server Hostname \ IP address> 25
Page 7 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
Note notice that the sender identity is related to the dummy domain that we use. This is not
the sender identity that we want to provide to the end user, but instead, just a temporary
identity that will mislead the destination mail server that performs the SPF verification test.
The command syntax that we use is
mail from: evil@thankyouforsharing.org
3. Provide the recipient identity
In this part, we provide the recipient identity (the sender E-mail address) by using the command:
RCPT TO:
In our specific scenario, we want to send Spoof E-mail to the destination recipient Bob
The command syntax that we use is
rcpt to: bob@o365pilot.com
Page 8 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
The purpose of this phase is, to provide the required information for building the Mail
header part meaning, the sender and the recipient identities + the information that will appear
in the E-mail message that will be sent to the destination recipient.
Just a quick reminder, in the mail header phase, we use the command FROM for specifying the
sender identity, and the command TO specifying the destination recipient identity.
4. Initializing the Mail header section
To be able to signal the destination mail server that we want to start the Mail header phase,
we use the command
data
5. Providing the spoofed identity of the sender
In this step, we provide the apparently identity of the company CFO Suzan
To make the spoof identity look like a reliable and trusted identity in the eyes of the
destination recipient, we will provide two separated parts of Susans identity
Suzan display name + Suzan E-mail address
The display name of the spoofed sender is the string that appears between the quotation
marks.
The spoofed E-mail address of the sender is the E-mail address between the angle
brackets.
Page 9 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
Page 10 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
To be able to end the SMTP session, we use the point character.
.
To only hint to the fact that the specific E-mail message is not a standard E-mail message
(Spoof E-mail in our scenario) is that way that Outlook client use for displaying the information
about the sender identity.
Page 11 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
When we look in depth at the top part of the E-mail message, we can notice that the
information about the sender includes the E-mail message of the sender.
Page 12 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
If you are wondering how did Outlook notice that he E-mail message was sent by a standard
organization recipient the answer is that when we use the telnet session, we provide the
spoofed E-mail address, but we didnt provide any user credentials.
For this reason, the recipient is identified as Anonymous (the information is saved in a mail field
named X-MS-Exchange-Organization-AuthAs).
When Outlook or OWA mail client recognized a scenario in which the sender considers
as Anonymous, the information about the sender will include the E-mail address of the source
sender.
Page 13 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
In our specific example, we will use the Microsoft web tool the ExRCA (Exchange remote
connectivity analyzer) for analyzing the information that was saved in the mail header.
How to extract the mail header information from the E -mail message?
They get the information this is stored in the E-mail message (the Spoof E-mail that was sent
to the recipient Bob), we need to choose the specific E-mail message, choose the File menu
and then the option Properties.
Page 14 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
We will access the ExRCA (Exchange remote connectivity analyzer) website by using the
following URL address: https://testconnectivity.microsoft.com/
Page 15 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
At the top of the screen, we can see the basic information about the identity of the sender and
the recipient.
In the summary section (A), notice that the information about this identities is the information
that we have provided in the second phase of the telnet session, which we described as the
Mail header phase.
As mentioned, the mail server removes the Mail envelope that includes information about the
sender identity that stored in the MAIL FORM field.
In our specific scenario, the E-mail address that we use in the MAIL FORM field was
evil@thankyouforsharing.org.
The information about this E-mail address was removed in the mail header will include
information about the sender E-mail address that appears in the TO mail field.
The sender information that appears, is the information that is seen by the destination
recipient (Bob). In other words, from Bobs perspective, the E-mail address was sent by Suzan the
company CFO.
In the received header section (B), we can see information about the mail server that was
involved in the mail flow.
Page 16 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
The information about each of the mail servers includes the IP address of the mail server and in
case that the mail server provides his name (the term name could be translated to hostname,
the domain name of the FQDN).
In our specific scenario, the mail server that we use for simulating the Spoof E-mail attack
provides his name thankyouforsharing.org
The information about the mail server hostname was provided by us in the SMTP telnet session,
in the begging of the session when we use the HELO command.
Page 17 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
Notice that when using the SPF sender check, the verification is regarding the domain name,
andnot for the hole E-mail address.
Received-SPF
In the section named Received-SPF, we can see an additional information:
We can see that the destination mail server (the mail server that host Bob) informs us that the
mail server that represents the domain name thankyouforsharing.org, consider is a legitimate
mail server thankyouforsharing.org designates 212.25.80.239 as permitted sender.
Pass (protection.outlook.com: domain of thankyouforsharing.org designates 212.25.80.239 as
permitted sender) receiver=protection.outlook.com; client-ip=212.25.80.239;
helo=thankyouforsharing.org;
As we have already learned, the destination mail server removes the Mail envelope after he
finishes the required procedure for accepting the E-mail message.
So theoretically, there is no information about the sender who was mentioned in the Mail
envelope (the MAIL FROM field).
This assumption is correct, apart from one exception: the RETURN-PATH field.
Page 18 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
The SMTP standard definition that the responsibility of the destination mail server is to fetch
the E-mail address that appears in the MAIL FORM field and copies this E-mail address to
the RETURN-PATH field.
The destination mail server wipe out information that appears in the Mail envelope, but one
thing that the destination mail server does before he removes the Mail envelope is copy the
information that appears in the MAIL FORM field with an additional mail field named
RETURN-PATH.
The purpose of this mail field is to hold the E-mail address that will be used in case that the
E-mail message could not be sent to the destination recipient.
In case that the destination mail server will need to notify the source sender about some
problem, the NDR message will be sent to this E-mail address (the E-mail address that was
registered as the RETURN-PATH).
In our scenario, the E-mail address (the dummy E-mail address) that appear in the mail
envelope was evil@thankyouforsharing.org
The destination mail server copied this E-mail address, and the result is that this E-mail message
populates the field RETURN-PATH.
In other words the only evidence that we have for the trick that was implemented by the
hostile element is the information that is stored in the RETURN-PATH field.
Page 19 of 19 | How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
The last detail that I would like to review is the part in which we classify the source sender as
know recipient or anonymous sender.
In our scenario, the hostile element spoofs the identity of a legitimate organization user by
presenting himself as suzan@o365pilot.com
Despite the fact that we manage to bypass the SPF sender verification mechanism, and
manage to send the E-mail message to the destination recipient mailbox, the sender didnt
provide user credentials.
For this reason, the sender was classified as Anonymous.
This information about this observation, can help us to identify and detect E-mail message that
manages to bypass our SPF wall