Welcome to Packet Hacking Village
10:00-10:25 The Vulnerability That Gmail Overlooked and Enabling Threat Hunting
The slide shown during the presentation is below. There is no detailed information below. You can follow the slide by watching the presentation video above.Whoami
Özkan Mustafa AKKUŞ - Vulnerability Researcher && Pentester
Presentation Schedule
1.0. SMTP protocol structure and threats 2.0. Analysis of threatening emails and sending them by live demos 3.0. Where does this threatening vulnerability come from in Gmail 4.0. Results and scheme of the research 5.0. A exclusive tool as a bonus
1.0. SMTP Protocol Structure and Threats
History and final version of the SMTP: According to Internet Engineering Task Force The simple structure of the SMTP protocol can be shown as follows:
+----------+ +----------+
+------+ | | | |
| User |<-->| | SMTP | |
+------+ | Client- |Commands/Replies| Server- |
+------+ | SMTP |<-------------->| SMTP | +------+
| File |<-->| | and Mail | |<-->| File |
|System| | | | | |System|
+------+ +----------+ +----------+ +------+
SMTP client SMTP server
The simplest structure:
+--------+ +--------+
| SMTP | +---------------+ | SMTP |
| CLIENT |<-->| |<-->| CLIENT |
+--------+ | Internet | +--------+
| |
+---------------+
The SMTP client and SMTP server into two components:
+------------+ +------------+
| User Agent | | User Agent |
+------------+ +------------+
| |
+----------------+ +----------------+
| Mail Transfer | | Mail Transfer |
| Agent | | Agent |
+----------------+ +----------------+
\ /
\ /
\_______+---------------+_______/
| |
| Internet |
| |
+---------------+
The user agent (UA) creates the envelope and then puts the message in the envelope. So it prepares the message. The mail transfer agent (MTA) transfers this prepared mail across the internet.
Mail Transfers in a more complex structure:
+---------------------+ +-----------------------+
| User Agent (Sender) | | User Agent (Receiver) |
+---------------------+ +-----------------------+
| |
+----------------+ +-------------+ +----------------+
| Outbound Mail | | Domain Name | | Inbound Mail |
| Server | <--| System |--> | Server |
+----------------+ +-------------+ +----------------+
\ \ / \ Authencticate / /
\ \ / \ SPF / /
\ \_MX Record_/ \_DKIM,DMARC_/ /
\ /
\_________+---------------+__________/
| |
| Internet |
| |
+---------------+
Some controls have been added to the DNS side which is used especially for e-mail transfer.
Authentication to SMTP server, Domain Keys Identification Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC) and Sender Policy Framework (SPF) are the controls provided on the DNS side.
According to Internet Engineering Task Force, RFC7208 is version 1 for Sender Policy Framework (SPF) for Authorizing Use of Domains in Email.
You can get detailed information from the link below.
"Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the "MAIL FROM" of a message or the domain given on the SMTP HELO/EHLO commands."
"How famous mail transfer agent services can pose a threat even though they use SPF."
Today, we will examine also other famous mail providers not only Gmail+----------------------------------------------------------------------------------------+ | Gmail | Yandex | Mail.ru | Outlook | Yahoo | ZohoMail | Hey.com | Hubspot | +----------------------------------------------------------------------------------------+
2.0. Analysis of threatening emails and sending them by live demos
Time to conduct internal and external tests on famous mail providers. In internal tests, we will try to send arbitrary mail via mail provider own domain name. In external tests, we will try to send arbitrary mail using the domain name "wallofsheep.com".
---------- Internal Tests -------------------+----------- External Tests --------------------
|
defcon@gmail.com => defconphv@gmail.com | ming@wallofsheep.com => defconphv@gmail.com
|
defcon@yandex.com => defconphv@yandex.com | ming@wallofsheep.com => defconphv@yandex.com
|
defcon@mail.ru => defconphv@mail.ru | ming@wallofsheep.com => defconphv@mail.ru
|
defcon@hotmail.com => defconphv@hotmail.com | ming@wallofsheep.com => defconphv@hotmail.com
|
defcon@yahoo.com => defconphv@yahoo.com | ming@wallofsheep.com => defconphv@yahoo.com
|
defcon@zohomail.com => defconphv@zohomail.com| ming@wallofsheep.com => defconphv@zohomail.com
|
---------------------------------------------+-----------------------------------------------
4.0. Results and scheme of the research
✔+ = Drops into the inbox without warning ✔ = Drops into the inbox with warning ✔- = Drops into the spam box ✘ = Doesn't drop into any box
+-----------------------------------------------------------------+
| Gmail | Yandex | Mail.ru | Outlook | Yahoo | ZohoMail |
+----------------------------------------------------------------------------+
| Internal | ✔ | ✘ | ✘ | ✔- | ✘ | ✘ |
+----------------------------------------------------------------------------+
| External | ✔+ | ✔+ | ✔+ | ✔- | ✘ | ✘ |
+----------------------------------------------------------------------------+
Unfortunately, 3rd party applications using APIs of famous mail providers cannot reflect the warnings. Naturally, the incoming e-mail is forwarding directly without any error messages.
+------------------------+
| Hey | Hubspot |
+-------------------------------------+
| Forwarding | ✔+ | ✔+ |
+-------------------------------------+
5.0. A exclusive tool as a bonus
DRAFT CHAT
DRAFTCHAT allows persons to chat through mails systems. You can access the GDchat module which is the first module and uses the gmail API.