espoofer: email spoofing testing tool
espoofer
espoofer is an open-source testing tool to bypass SPF, DKIM, and DMARC authentication in email systems. It helps mail server administrators and penetration testers to check whether the target email server and client are vulnerable to email spoofing attacks or can be abused to send spoofing emails.
Figure 1. A case of our spoofing attacks on Gmail (Fixed, Demo video)
Why build this tool?
Email spoofing is a big threat to both individuals and organizations (Yahoo breach, John podesta). To address this problem, modern email services and websites employ authentication protocols — SPF, DKIM, and DMARC — to prevent email forgery.
Our latest research shows that the implementation of those protocols suffers a number of security issues, which can be exploited to bypass SPF/DKIM/DMARC protections. Figure 1 demonstrates one of our spoofing attacks to bypass DKIM and DMARC in Gmail. For more technical details, please see our Black Hat USA 2020 talk (with presentation video) or USENIX security 2020 paper.
- Black Hat USA 2020 slides (PDF): You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication
- USENIX security 2020 paper (PDF): Composition Kills: A Case Study of Email Sender Authentication
In this repo, we summarize all test cases we found and integrate them into this tool to help administrators and security practitioners quickly identify and locate such security issues.
Install
git clone https://github.com/chenjj/espoofer
sudo pip3 install -r requirements.txt
Use
espoofer has three work modes: server (‘s’, default mode), client (‘c’) and manual (‘m’). In server mode, the espoofer works like a mail server to test validation in receiving services. In client mode, the espoofer works as an email client to test validation in sending services. Manual mode is used for debugging purposes.
Figure 2. Three types of attackers and their work modes
Server mode
To run espoofer in server mode, you need to have: 1) an IP address (1.2.3.4), which outgoing port 25 is not blocked by the ISP, and 2) a domain (attack.com).
- Domain configuration
- Set DKIM public key for attack.com
selector._domainkey.attacker.com TXT “v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNjwdrmp/gcbKLaGQfRZk+LJ6XOWuQXkAOa/lI1En4t4sLuWiKiL6hACqMrsKQ8XfgqN76mmx4CHWn2VqVewFh7QTvshGLywWwrAJZdQ4KTlfR/2EwAlrItndijOfr2tpZRgP0nTY6saktkhQdwrk3U0SZmG7U8L9IPj7ZwPKGvQIDAQAB”
- Set SPF record for attack.com
attack.com TXT "v=spf1 ip4:1.2.3.4 +all"
- Configure the tool in config.py
You can list find the case_id of all test cases using -l option:
python3 espoofer.py -l
- Run the tool to send a spoofing email
python3 espoofer.py
You can change case_id in the config.py or use -id option in the command line to test different cases:
python3 espoofer.py -id server_a1
Client mode
To run epsoofer in client mode, you need to have an account on the target email services. This attack exploits the failure of some email services to perform sufficient validation of emails received from local MUAs. For example, attacker@gmail.com tries to impersonate admin@gmail.com.
- Configure the tool in config.py
You can list find the case_id of all test cases using the -l option:
python3 espoofer.py -l
Note: sending_server should be the SMTP sending server address, not the receiving server address.
- Run the tool to send a spoofing email
python3 espoofer.py -m c
You can change case_id in the config.py and run it again, or you can use -id option in the command line:
python3 espoofer.py -m c -id client_a1
Manual mode
Here is an example of manual mode:
python3 espoofer.py -m m -helo attack.com -mfrom <m@attack.com> -rcptto <victim@victim.com> -data raw_msg_here -ip 127.0.0.1 -port 25
Copyright (c) 2019 Jianjun Chen
Source: https://github.com/chenjj/
