Skip to content

Commit

Permalink
make public
Browse files Browse the repository at this point in the history
  • Loading branch information
@mo-xiaoxi
mo-xiaoxi committed Oct 6, 2020
1 parent 325f5c9 commit e455f68
Show file tree
Hide file tree
Showing 63 changed files with 18,193 additions and 1 deletion.
8 changes: 8 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
.idea
venv
__pycache__/*
.DS_Store
*.pyc
*.log
/log/smtp.log
/log/mta.log
Empty file modified LICENSE
100644 → 100755
View file
Empty file.
189 changes: 188 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1 +1,188 @@
# EmailSpoofingTestTools
# EmailSpoofingTestTools

> This tool is based on our latest research,"Weak Links in Authentication Chains: A Large-scale
> Analysis of Email Sender Spoofing Attacks", accepted at USENIX Security '21.
EmailSpoofingTestTools is a fuzzing tool for email sender spoofing attacks. This fuzzing tool can generate a number of test samples based on the ABNF grammar for authentication-related headers. Besides, we also provide an evaluation module to help email administrators to evaluate and increase their security.

Our research systematically analyzes the email delivery process based on the four key stages of authentication: sending authentication, receiving verification, forwarding verification and UI rendering.

As shown in the figure below, we define three types of email sender spoofing attacks: a. Shared MTA Attack, b. Direct MTA Attack. c. Forward MTA Attack. Furthermore, we found 14 email spoofing attacks capable of bypassing SPF, DKIM, DMARC, and user-interface protections.

<div align=center><img src="./img/threat_model.png" width = "600" height = "320" alt="Threat Model" align=center /></div>

By conducting a "cocktail" joint attack, a spoofing email can completely pass all prevalent email security protocols, and no security warning is shown on the receiver’s MUA. Therefore, it is challenging to identify whether such an email is spoofing, even for people with a senior technical background.

The following figure shows a spoofing example to impersonate [email protected] via Gmail. All the three email security protocols give "pass" verification results to the spoofing email.

<div align=center><img src="./img/example.png" width = "400" height = "450" alt="Example" align=center /></div>



## Install

- Make sure have python3 installed in your computer.
- Download this tool

```bash
git clone https://github.com/EmailTestTools/EmailTestTools.git
```

- Install dependencies

```bash
sudo pip install -r requirements.txt
```

## Configure

- Set the recipient address in `config.py`

```python
# Change receiveUser to what you like to test.
receiveUser = "[email protected]"
```

- Configure your email account in `config/account.json`.

```json
{
"gmail.com": {
"user": "[email protected]",
"apipass": "apipass",
"passwd": "passwd",
"smtp_server": "mail.test.com:25",
"imap_server": "imap.test.com:143",
"pop3_server": "pop.test.com:110",
"ssl_smtp_server": "mail.test.com:465",
"ssl_imap_server": "imap.test.com:993",
"ssl_pop3_server": "pop.test.com:995"}
}
```

You can configure more than one account, and designate sending account in `config.py `.

```python
# The domain name to be tested
target_domain = "gmail.com"
```

## Fuzzing

#### 1. Generate malformed From headers.

[pre_fuzz.py](./pre_fuzz.py) will automatically grab the ABNF rules in the relevant email specifications and generate test samples according to the ABNF rules. Since common mail services usually refuse to handle emails with highly deformed headers, we have specified set certain values for our empirical experiment purposes. Besides, we also introduced the common mutation methods in the protocol fuzz, such as header repeating, inserting spaces, inserting Unicode characters, header encoding, and case variation
**Usage:**

| Short Form | Long Form | Description |
| ---------- | --------- | ------------------------------------------------------------ |
| -r | --rfc | The RFC number of the ABNF rule to be extracted. |
| -t | --target | The field to be fuzzed in ABNF rules. |
| -c | --count | The amount of ambiguity data that needs to be generated according to ABNF rules. |

**Example:**

```bash
python3 pre_fuzz.py -r 5322 -t from -c 255
```

**Screenshots:**

<div align=center><img src="./img/screenshots.png" width = "800" height = "500" alt="screenshots" align=center /></div>

**Generated Test Sample:**

```json
"From :,()<[email protected]>(comment),(\r\n)\r\n",
"From: <=?utf-8?RnJvbTp3b3Jkd29yZCgNCik8YXR0YWNrZXJAdG9wLmNvbT4sQWxpY2VAeW1haWwuY29tLHdlYm1hc3RlckBsaXZlLmNvbSxhZG1pbkBpY2xvdWQuY29tLHNlY3VyaXR5QHNvaHUuY29tDQo==?=>\u0000@attack.com",
"From: <=?utf-8?RnJvbTooY29tbQ0KZW50KTxockBtc24uY29tPix3b3Jkd29yZChoaSk8TWlrZUBhbGl5dW4uY29tPix3b3JkPGFkbWluQGhvdG1haWwuY29tPihoaSksd29yZHdvcmR3b3JkKCk8QHFxLmNvbTpAMTYzLmNvbTpzZWN1cml0eUBhbGl5dW4uY29tPihjb21tDQplbnQpDQo==?=>\u0000@attack.com",
"From:[email protected],(),,,word<[email protected]>\r\n",
" FrOM: <[email protected]>\r\nFrom:(comm\r\nent)<@qq.com:@163.com:[email protected]>,word<[email protected]>,word(comment)<[email protected]>(comm\r\nent)\r\n",
" Fromÿ: <[email protected]>\r\nFrom:[email protected]\r\n",
" Fromÿ: <[email protected]>\r\nFrom:(\r\n)<@gmail.com:@b.com:[email protected]>,word(comment)<@qq.com:@163.com:[email protected]>,<@a.com:@b.com:[email protected]>(comment)\r\n",
"From :,(\r\n),[email protected],word<[email protected]>(comm\r\nent),\r\n",
"From:()<@a.com:@b.com:[email protected]>(comm\r\nent)\r\n",
"From: <[email protected]>\r\nFrom:(comm\r\nent),[email protected]\r\n",
" From:,,(comment),[email protected],(hi)\r\n",
"From: ,<@gmail.com:@b.com:[email protected]>,(hi)<@gmail.com:@b.com:[email protected]>,(hi),,(),\r\n",
"From: (hi)<[email protected]>(),[email protected],word(comment)<@a.com:@b.com:[email protected]>(),word<[email protected]>(\r\n)\r\n",
" Fromÿ: <[email protected]>\r\nFrom:,[email protected],,(hi),,(),\r\n",
...
```

For more test samples, please check this [file](https://github.com/EmailTestTools/EmailTestTools/blob/master/config/fuzz.json).

#### 2. Send spoofing emails with malformed sender address

[run_test.py](./run_test.py) will use the generated samples to test the security verification logic of the target mail system. We also carefully control the message sending rate with intervals over 10 minutes to minimize the impact's target email services.

You can choose **Shared MTA** or **Direct MTA** to send spoofing emails. At the same time, you can also choose **MIME From** or **MAIL From** header to test.

| Short Form | Long Form | Description |
| ---------- | --------- | ------------------------------------------------- |
| -m | --mode | Attack mode ( SMTP: Shared MTA, MTA: Direct MTA). |
| -t | --target | The target field to test. (MIME / MAIL ) |

For example, if you want to use Direct MTA to fuzz MIME From header, you can execute:

```bash
python3 run_test.py -m MTA -t MIME
```

By the way, if you want to use Shared MTA , you need to configure email sending account in `config/account.json` and `config.py`.

#### 3. Analyze and summarize the employed adversarial techniques

We analyze and summarize the employed adversarial techniques that make email sender spoofing successful in practice. We use two scripts to verify vulnerabilities in the real world.

[smtp_send.py](./smtp_send.py) simulates as user's MUA to Sender's MTA via SMTP protocol (**Shared MTA**). It is to test the security issues of the Sender's MTA and test whether the receiver can accept the abnormal emails.

[mta_send.py](./mta_send.py) simulate as Sender's MTA to communicate with Receiver's MTA (**Direct MTA**). This tool can be simulated as any email sender and can test receiver's security.

## Evaluation

We provide an evaluation tool to help email administrators to evaluate and strengthen their security. After configuring the target email system information, this tool will try to interact with the target system and evaluate whether it is vulnerable to the attacks we found. For the vulnerable attacks, administrators can configure corresponding filtering rules to defend against attacks.

- Configure the recipient address and your email sending account.

- Just excute:

```bash
python3 evaluate.py
```

The program will use both shared MTA and direct MTA methods to try to send forged emails to the recipient.

- Check whether these emails are in the inbox of the recipient account.

The body of these forged emails contains detailed information about each header in email and corresponding defense measures, such as rejecting the letter, providing security warnings on the front end, etc. If a forged email enters the inbox of the target mail system, the administrator can easily understand the attack principle and take effective measures to defend it.

It should be noted that when using Direct MTA to test, some email headers need to be manually specified in some email spoofing attacks. So you may need to configure these headers' default values in `config.py`.

```python
# Some default values in Direct MTA Attack when the attack does not specify these parameter values
mail_from = '[email protected]'
mime_from = '[email protected]'
reply_to = mime_from
sender = "[email protected]"
to_email = '[email protected]'
subject = 'This is subject'
content = """This is content"""
helo = 'test.com'
```

The following is an example of using this tool to evaluate the security of the target email system.

You can see that some spoofing emails have entered the inbox of the target email system. This means that the target system may be vulnerable to the corresponding attacks

![list.png](img/list.png)



You can get more information by reading the content of the email, including details of the attack and how to fix such vulnerabilities.

![img/demo.png](img/demo.png)

## Version

Current version is 1.2
43 changes: 43 additions & 0 deletions config.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#!/usr/bin/env python

import os, json
from util.util import init_log, banner

BASE_DIR = os.path.dirname(os.path.abspath(__file__))
LOG_FILE = BASE_DIR + '/log/run.log'
FUZZ_PATH = BASE_DIR + '/config/fuzz.json'
RULE_PATH = BASE_DIR + '/config/rule.json'
ACCOUNT_PATH = BASE_DIR + '/config/account.json'

logger = init_log(LOG_FILE)

with open(RULE_PATH, 'r') as f:
CONFIG_RULES = json.load(f)

with open(ACCOUNT_PATH, 'r') as f:
ACCOUNTS = json.load(f)

# The domain name to be tested
target_domain = "gmail.com"

account = ACCOUNTS[target_domain]
user = account['user']
passwd = account['apipass']
smtp_server = account['smtp_server']

# Change receiveUser to what you like to test.
receiveUser = "[email protected]"

# Some default values in Direct MTA Attack
mail_from = '[email protected]'
mime_from = '[email protected]'
reply_to = mime_from
sender = "[email protected]"
to_email = receiveUser
subject = 'This is subject'
content = """This is content"""
helo = 'test.com'
filename = None
image = None

#
13 changes: 13 additions & 0 deletions config/account.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"gmail.com": {
"user": "[email protected]",
"apipass": "apipass",
"passwd": "passwd",
"smtp_server": "mail.test.com:25",
"imap_server": "imap.test.com:143",
"pop3_server": "pop.test.com:110",
"ssl_smtp_server": "mail.test.com:465",
"ssl_imap_server": "imap.test.com:993",
"ssl_pop3_server": "pop.test.com:995"
},
}
Loading

0 comments on commit e455f68

Please sign in to comment.