email authentication for penetration testers
play

Email Authentication for Penetration Testers 29.12.2019, 36c3 - PowerPoint PPT Presentation

Oct 03, 2023 •282 likes •861 views

Email Authentication for Penetration Testers 29.12.2019, 36c3 Andrew Konstantjnov, andrejs@cert.lv Who am I? Andrew, andrejs@cert.lv 679A C8D4 A391 6736 D558 07C1 D3D9 0B7C 666A EDCD Currently work for: cert.lv Previously worked

  1. Email Authentication for Penetration Testers 29.12.2019, 36c3 Andrew Konstantjnov, andrejs@cert.lv

  2. Who am I? ● Andrew, andrejs@cert.lv – 679A C8D4 A391 6736 D558 07C1 D3D9 0B7C 666A EDCD ● Currently work for: cert.lv ● Previously worked at: 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  3. Why pentesters should care? Source: “Global DMARC Adoption 2019” by 250ok 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  4. Contents 1) Intro to SMTP 2) Basic spoofing 3) SPF 4) DKIM 5) DMARC 6) Unauthenticated relays 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  5. Who is this talk for? ● Penetration testers / Red teamers ● Sysadmins / Mail admins ● Newbies willing to learn about email 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  6. Email threat landscape ● Insufficient account authentication (passwords & more) ● Webmail (usual web app risks) ● Phishing / Spearphishing / BEC Topic of this talk – Attacks relying on user error – Attacks w/o any user-visible signs of tampering ● Vulnerability assessment (missed patches & configuration errors) ● DoS (incl. spam) 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  7. A little (poorly kept) secret ● (Availability && Reliability) >>> Security ● Support costs easier to quantify than risk ● Backwards compatibility >>> Innovation 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  8. Intro to SMTP

  9. Normal data fmow 1) Alice sends mail to Bob: MX Bob’s Org Email Client Outgoing Server Incoming Server Email Client Alice Alice’s Org Bob’s Org Bob MX 2) Bob sends mail to Alice: Alice’s Org Email Client Incoming Server Outgoing Server Email Client Alice Alice’s Org Bob’s Org Bob 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  10. Normal data fmow 3) Alice receives mail from her colleague: Email Client Outgoing Server Alice’s Colleague Alice’s Org Email Client Incoming Server Alice Alice’s Org 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  11. An example of SMTP conversation HELO sendhost.a.org MAIL FROM: <alice@a.org> SMTP Envelope RCPT TO: <bob@b.org> (RFC 5321) DATA From : “Alice” <alice@a.org> To : “Bob” <bob@b.org> Headers Date : Sat, 29 Dec 2019 14:00:00 +0100 Subject : Test message Content/Message Hi Bob, (RFC 5322) Body Long time no see. How are you? Bye . QUIT 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  12. Envelope-Sender vs From Email as seen by me: Email as seen by email admins: 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  13. From: relatives RFC 5322 (3.6.2) defines following Originator In practice: headers: Messages with malformed headers ● still likely to be delivered (best effort) ● From: If more than 1 header present, ● – Max 1 header, may contain multiple addresses typically the 1st one takes priority ● Sender: Resent-From: and Resent-Sender: ● have similar semantics – Max 1 header, may contain one address Headers displayed to user are ● Reply-To: ● implementation-dependent – Max 1 header, may contain multiple addresses None of the Originator headers are ● actually required 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  14. Basic spoofing

  15. Data fmow in spoofjng attacks 1) Chuck sends mail to Bob, impersonating Alice MX Bob’s Org Email Client Outgoing Server Incoming Server Email Client Alice Alice’s Org Bob’s Org Bob Chuck 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  16. Data fmow in spoofjng attacks 2) Chuck sends mail to Alice, impersonating Bob MX Alice’s Org Email Client Incoming Server Outgoing Server Email Client Alice Alice’s Org Bob’s Org Bob Chuck 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  17. Data fmow in spoofjng attacks 3) Chuck sends mail to Alice, impersonating her coworker Email Client Outgoing Server Alice’s Colleague Alice’s Org Chuck Email Client Incoming Server Alice Alice’s Org 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  18. You’ve been hacked! (or have you?) 1) Change password if still in use 2) Identify hacked service (HaveIBeenPwned, Firefox Monitor) 3) Stop reusing passwords & Start using password manager 4) Enable MFA 5) Ask your email admin to implement anti-spoofing 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  19. A spoofed SMTP conversation HELO sendhost.a.org MAIL FROM: <alice@a.org> SMTP Envelope RCPT TO: <bob@b.org> (RFC 5321) DATA From : “Alice” <alice@a.org> To : “Bob” <bob@b.org> Headers Date : Sat, 29 Dec 2019 14:00:00 +0100 Subject : Test message Content/Message Hi Bob, (RFC 5322) Body Long time no see. How are you? Bye . QUIT 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  20. Ad-hoc protection mechanisms Limited efficacy against spoofing: ● Check sender’s existence through SMTP callback ● Check that hostname in HELO/EHLO matches sender IP – Resolve hostname – Make reverse DNS lookup (PTR record) for sender IP Not effective at all, but need to take in account ● Reputation of sender IP (DNS blacklists) ● Greylisting 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  21. Intro to SPF

  22. Sender Policy Framework (SPF) Mirrors MX records Envelope-Sender limits hosts that are allowed to send mail MX Bob’s Org Email Client Outgoing Server Incoming Server Email Client Alice Alice’s Org Bob’s Org Bob SPF Alice’s Org 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  23. SPF syntax Example: v=spf1 ip4:234.123.61.237 -all Common mechanisms: – IP4 / IP6 – A ● Resolve DNS entry (a:smtp.alice.tld) ● Without listing a DNS entry, resolves domain part after @ (typically points to the web server) – MX ● Resolve incoming mail servers (mx:alice.tld) – ALL – INCLUDE 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  24. Qualifjers ● + (PASS) – The default one, rarely used explicitly ● - (FAIL) – Usually used with “-ALL” ● ~ (SOFTFAIL) – Testing, mail should not rejected if matches here 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  25. Examples ● v=spf1 a a:smtp.alice.tld -all ● v=spf1 include:_spf.google.com -all 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  26. Usage of SPF globally ● ~75% of 100k ● ~55% of 1m ● Majority uses SOFTFAIL ● Source: https://trends.builtwith.com/mx/SPF ● Note: – Not all websites might have mails (those should have “v=spf1 -all”) – Impossible to calculate how many incoming servers check it 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  27. Spoofing mails protected by SPF

  28. ~ALL E.g. recommended record for G Suite: – “v=spf1 include:_spf.google.com ~all ” Why SOFTFAIL is popular: – Bugs in configuration/implementation – “ -ALL ” breaks naïve forwarding, mailing lists – “ ~ALL ” enough for delivery to major hosters (mass effect) 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  29. A tricky case of “include” Example: – “v=spf1 include :spf.protection.outlook.com -all” Quote from RFC: – In hindsight, the name "include" was poorly chosen. Only the evaluated result of the referenced SPF record is used, rather than literally including the mechanisms of the referenced record in the first. For example, evaluating a "-all" directive in the referenced record does not terminate the overall processing and does not necessarily result in an overall "fail". (Better names for this mechanism would have been "if-match", "on-match", etc.) Wrong usage: – No “-ALL” in the top record (default is “?ALL” which makes result NEUTRAL) – “~ALL” in the top, “-ALL” in subrecord 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  30. Too many rules in SPF record Example: – v=spf1 ip4:1.2.3.4/24 a a:my-hosting.tld mx ptr -all Causes: – Admins not being sure how SPF works – Truly messy architecture There is generally no need to include MX Including web server in designated senders – huge attack surface 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  31. SPF fmaws: insuffjcient granularity ● IP indicated by SPF might contain multiple services ● Even if mail is the only service – multiple domains ● Exploiting any of them (SSRF will do) leads to SPF PASS ● Shared hosting: – Attackers can exploit the oldest website – Pentesters can simply purchase hosting on the same server 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  32. SPF fmaws: checking wrong identifjer ● Fatal design flaw! ● Only Envelope-Sender is protected ● End user typically does not see Envelope-Sender ● From: header (displayed by email client) not protected ● Behavior fixed by DMARC, but majority SPF installations do not have DMARC configured 29.12.2019 - Andrew Konstantjnov - andrejs@cert.lv

  33. Intro to DKIM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
Peer-to-peer Sender Authentication for Email Vivek Pathak and Liviu Iftode Rutgers University

Peer-to-peer Sender Authentication for Email Vivek Pathak and Liviu Iftode Rutgers University

Peer-to-peer Sender Authentication for Email Vivek Pathak and Liviu Iftode Rutgers University Email Trustworthiness Sender can be spoofed Need for Sender Authentication Importance depends on sender Update on Spam Filters

1.02k views • 55 slides
View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication Philipp Markert,

View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication Philipp Markert,

View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication Philipp Markert, Florian Farke, and Markus Drmuth Santa Clara, California, USA | WAY 2019 | August 11, 2019 Two-Factor Authentication 1 1 2 1 Gmail 2FA

415 views • 28 slides
Lightweight Authentication for Email (and Web?) Ben Adida ben@mit.edu PAW/DIG Meeting June

Lightweight Authentication for Email (and Web?) Ben Adida ben@mit.edu PAW/DIG Meeting June

Lightweight Authentication for Email (and Web?) Ben Adida ben@mit.edu PAW/DIG Meeting June 30th, 2005 (joint work with Susan Hohenberger and Ronald L. Rivest) Distributed Phishing Friends and Colleagues Jakobsson &amp; Young 2005

335 views • 21 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
26 June 2020 Local Digital Landscape 58% 159% Unique mobile user SIM penetration penetration

26 June 2020 Local Digital Landscape 58% 159% Unique mobile user SIM penetration penetration

Rural Bankers Association of the Philippines 67 th Annual National Convention 26 June 2020 Local Digital Landscape 58% 159% Unique mobile user SIM penetration penetration Average time spent on internet 9 hours 67% and 45 Filipinos are

587 views • 16 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
ts% 5.s% s.0% 1..9% November 730 3761 4825 1026 County Monthly Avg 45249 68984 ro2792

ts% 5.s% s.0% 1..9% November 730 3761 4825 1026 County Monthly Avg 45249 68984 ro2792

FY16 Quarter L Penetration Report Ethnicity State Penetration Rate 3.78% s.09% 10.134/o 3.81o/a 10.144/o 7.39o/o July 2015 1462 653 4534 119 2497 978 County Monthly Avg 70255 10662 140147 1046 33644 19089 County Penetration Rate

423 views • 9 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Peering Into the White Box: A testers approach to code reviews Alan Page M icrosoft

Peering Into the White Box: A testers approach to code reviews Alan Page M icrosoft

Peering Into the White Box: A testers approach to code reviews Alan Page M icrosoft self-promotion slide http:/ / angryweasel.com/ blog http:/ / www.hwtsam.com http:/ / twitter.com/ alanpage Code Reviews really? The Testers Point of

535 views • 17 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
Synchronizing automata: new techniques and results Raphal Jungers UCLouvain Jiao Tong Univ.,

Synchronizing automata: new techniques and results Raphal Jungers UCLouvain Jiao Tong Univ.,

Synchronizing automata: new techniques and results Raphal Jungers UCLouvain Jiao Tong Univ., Apr. 2015 Joint work with Franois Gonze Sy Sync nchroniz hronizing ing au automa omata ta Synchronizing word (or reset sequence)

628 views • 59 slides
Public Screening Module for Security Officer PWM Grade 1 The screening allows an individual /

Public Screening Module for Security Officer PWM Grade 1 The screening allows an individual /

Public Screening Module for Security Officer PWM Grade 1 The screening allows an individual / SA / IHE to check the PWM grade of a security officer. SingPass is not required. 2 Access through SPF webpage with the following steps: 1.

471 views • 12 slides
Path Calculation and Setup Sources: MPLS Forum V. Alwayn, Advanced MPLS Design and Implementation

Path Calculation and Setup Sources: MPLS Forum V. Alwayn, Advanced MPLS Design and Implementation

Path Calculation and Setup Sources: MPLS Forum V. Alwayn, Advanced MPLS Design and Implementation , Cisco Press E. W. Gray, MPLS Implementing the Technology , Addison Wesley B. Davie and Y. Rekhter, MPLS Technology and Applications , Morgan

1.29k views • 64 slides
SPFBL 2014 Season Parents Night 3/25/2014

SPFBL 2014 Season Parents Night 3/25/2014

SPFBL 2014 Season Parents Night 3/25/2014

297 views • 7 slides
ELEC / COMP 177 Fall 2015 Some slides from Kurose

ELEC / COMP 177 Fall 2015 Some slides from Kurose

ELEC / COMP 177 Fall 2015 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Presentation 1 Application-Layer Protocol

573 views • 41 slides
Simulating Quantum Chromodynamics coupled with Quantum Electromagnetics on the lattice Yuzhi Liu

Simulating Quantum Chromodynamics coupled with Quantum Electromagnetics on the lattice Yuzhi Liu

Simulating Quantum Chromodynamics coupled with Quantum Electromagnetics on the lattice Yuzhi Liu Indiana University liuyuz@indiana.edu Fermilab Lattice and MILC Collaborations The 36th Annual International Symposium on Lattice Field Theory

460 views • 25 slides
EMAIL DELIVERABILITY WORLDWIDE, J UST 79% OF COMMERCIAL EMAILS LANDS IN THE INBOX . THIS MEANS

EMAIL DELIVERABILITY WORLDWIDE, J UST 79% OF COMMERCIAL EMAILS LANDS IN THE INBOX . THIS MEANS

EMAIL DELIVERABILITY (AKA GETTING INTO THE INBOX) FACTS ABOUT EMAIL DELIVERABILITY WORLDWIDE, J UST 79% OF COMMERCIAL EMAILS LANDS IN THE INBOX . THIS MEANS FOR EVERY FIVE EMAILS SENT, ONE NEVER REACHES THE INTENDED RECIPIENT.

392 views • 15 slides
When Service-oriented Computing Meets the IoT: A Use-case in the Context of Urban Mobile

When Service-oriented Computing Meets the IoT: A Use-case in the Context of Urban Mobile

When Service-oriented Computing Meets the IoT: A Use-case in the Context of Urban Mobile Crowdsensing Valrie Issarny, Inria Joint work with G. Bouloukakis, N. Georgantas, F. Sailhan, G. Texier, B. Lefvre &amp; others 1 - 28/11/2019

972 views • 39 slides

More recommend