Email Spoofing with Python Tools

July 5, 2016 | Views: 31698

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

 

Greetings to all,

Email spoofing is a very old technique. It’s still widely used in the schemes Spear Phishing or Spear Apps to trick a user into believing they’re receiving an email from a specific person. That is, a user impersonates another and try to make a credible message as possible. In many processes of ethical hacking, email spoofing must be performed to verify several things. For example, a set of employees are aware and don’t fall to this kind of practice. Although, sometimes, it’s very difficult not to fall.

At the same time, you can verify the correct configuration of attenuation mechanisms as SPF (Sender Policy Framework) / SenderID, DKIM (Domain Keys Idetified Mail) or DMARC (Domain-based Message Authentication, Reporting and Conformance). The only effective solution is that all employees use digital signature systems as SMIME or PGP.

Today, I’ll talk about a couple of tools written in Python that can be used in our processes of Ethical Hacking. They show if a domain is spoofeable and could be used to send a fake email that deceives the victim.

A tool that’s really been more useful, perhaps because of its simplicity, is the SpoofCheck. This tool allows you to check a series of conditions to show whether a domain is spoofeable or not. The tool will tell you if the domain you want to replace is probably spoofeable or not.

Additionally, the SimpleEmailSpoofer tool is a script written in Python that handles connections to a local SMTP server Postfix. It carries out sending e-mail with the parameters and attributes that you indicate to the application.

Installation or download of these applications is very simple. They can be obtained directly from their Github repositories. Once you’ve downloaded both tools with the git clone command, you must install the dependencies ith the execution of the command pip install –r requirements.txt

 

SpoofCheck

When is a domain spoofeable?

The SpoofCheck tool handles checking a number of conditions. Here, we can see the conditions are evaluated and determine if a domain is spoofeable or not:

  • Absence of SPF record or DMARC.
  • The domain DNS SPF record does not specify ~ all or -all.
  • The DMARC policy is set to p = none or does not exist.

 

Seeing these conditions, we’ll perform some tests with known domains. In the first example, we’ll analyze apple.com. As you can see in the picture below, Apple has an SPF record enabled and with -all policy. However, although there are DMARC records, the policy is not specific, so that domain is potentially spoofeable.

Apple Example

Apple has improved its policy, as happened when Celebgate, the domain had the policy ~ all, made it even easier to replace.

 

As a second example, we’ll perform an analysis of Gmail and Outlook – free email providers most used in the world. As you can see in the picture both have SPF record, where the IP addresses or domains used by authorized mail servers are included. Both have applied DMARC, but the policy is not specific. The application SpoofCheck returns that both are potentially spoofeables domains.

Gmail and Outlook Example

In the case of PayPal, we observe a welcome difference. It’s not spoofeable because the SPF record has a specified IP addresses, DMARC and enabled policy rejection.

 

Paypal Example

Remember that PayPal has other small errors or weaknesses, such as the ability to steal accounts and user failure to register a non-real email when creating a PayPal account

 

SimpleEmailSpoofer

The SimpleEmailSpoofer tool is very simple to set up and run. The first thing is to have a file in which we include the HTML code body. Shown below, there’s a small example of an email from Apple. In the body, you can see the loading an image, which is the apple of Apple.

Simple Email Spoofer Example

 

The file generated should use a number of parameters to send email. Before you can use SimpleEmailSpoofer, you need to be sure that Postfix is installed on the system. If not installed, you must run the command apt-get install postfix, and later service postfix start.

Different parameters are used to indicate the file with the body of the message, the email address to send the email, the sender address you want to spoof and name of the user who sent the email. Finally, the parameter -j allows us to indicate the subject with which the mail is sent. If we review the email that’s been set up, we see how it could easily pass for a real mail.

Email Spoof Example

 

 

The above tools are useful to have in our backpack for our audits and ethical hacking. The SpoofCheck tool is especially important, as it allows us to infer if a domain is spoofeable and see whether we’ll succeed or not with the manipulation and creation of a false email on our audit.


Download Tools

https://github.com/BishopFox/spoofcheck

https://github.com/lunarca/SimpleEmailSpoofer

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
20 Comments
  1. this is interesting

Page 4 of 4«1234
Comment on This

You must be logged in to post a comment.

Related Reads
InfoSec Cheat Sheets
November 5, 2017
24293

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel