PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2024-02-26T14:32:27+00:00

Mail in the Middle – A tool to automate spear phishing campaigns

Context
In the chilly month of December 2023, my colleagues Jason (@BreakerOfSigns), Szymon (@TH3_GOAT_FARM3R), and myself (@felmoltor) were on a red team. This one was tough, but we had fun. We had to be a bit more creative than I am used to and two interesting things were done that are worth sharing:

Szymon and Jason physically broke into the client’s facilities. At a branch office, they left an implant using Rogan’s “Slimjim” device and it proved to be a solid and production ready project. Try it out and let us know how it goes.
I developed a tool that we named Mail-in-the-Middle (Maitm for short). You can find it in our Github repository here: https://github.com/sensepost/mail-in-the-middle.

I cannot speak in first person about the physical breakin beyond praising the excellent social engineering skills of both of my colleagues, but I can talk about Mail-in-the-Middle.

Context

In the chilly month of December 2023, my colleagues Jason (@BreakerOfSigns), Szymon (@TH3_GOAT_FARM3R), and myself (@felmoltor) were on a red team. This one was tough, but we had fun. We had to be a bit more creative than I am used to and two interesting things were done that are worth sharing:

  • Szymon and Jason physically broke into the client’s facilities. At a branch office, they left an implant using Rogan’s “Slimjim” device and it proved to be a solid and production ready project. Try it out and let us know how it goes.

I cannot speak in first person about the physical breakin beyond praising the excellent social engineering skills of both of my colleagues, but I can talk about Mail-in-the-Middle.

First, let me explain what is Mail-in-the-Middle and how we approached it.

What is Maitm?

The idea is simple; take advantage of the typos that people make when they enter email addresses. If we positioned ourselves in between the sender of an email (be it a person or a system) and the legitimate recipient, we may be able to capture plenty of information about the business, including personally identifiable information, email verification processes, etc. This scenario is effectively a Person-in-the-Middle (PiTM), but for email communications.

Some examples of how being positioned in the middle of email communications could be useful include:

  • A vendor or third party would like to send out an invoice to the finance department of the target but they typo’d the domain. An attacker who owns the typo’d domain would receive these mails disclosing whatever information was contained within. This provides the attacker with a good pretext for a social engineering attack.
  • Let’s say an administrator sets up a service to monitor performance of their servers, and proceeded to configure notifications / alarms to be sent to an email address where there was a typo within the domain. An attacker would receive those notifications which might disclose useful information about their internal infrastructure (for instance, software used, hostnames, IP addresses, etc.).
  • Or perhaps an employee, from HR, registered an account on a third party service used to manage candidates applying for a job. But this was done using an email address where the domain was typo’d. Should the third party service send an email to that account, it would land in the hands of the attackers. An attacker could potentially perform an account takeover by requesting a password reset.
  • What if an attacker finds that they were receiving OTP’s for an account registration. In this scenario, they could take advantage of this by actively forwarding on these emails on to the corrected target. This would give the attacker the ability to hijack the account later on should the victim user complete the registration process using the forwarded OTP.
  • A more active approach could be taken by tainting all the emails coming in and forwarding them on to the legitimate recipient. Links can be modified to point to a phishing page, UNC paths can also be injected as images on the email or mail headers (see CVE-2023-35636) to exfiltrate NetNTLM hashes, or attachments can be injected to deliver your malicious payload.

In summary, doing this would be similar to receiving an Amazon package wrongly delivered to you, swapping the Rolex inside the package with the Casio, repackaging it, and leaving the parcel on your neighbours doorstep (hoping they don’t notice).

*The original idea of doing this mail interception manually was not ours (Szymon, Jason, or Felipe), but it was rather passed down from previous generations of SensePost to us (thank you Willem), and probably has been by many others out there. What we are presenting here is an improvement on the process and the automation of it. *

Back to the point, to achieve a Mail-in-the-Middle position, there are three basic steps:

  • Configure the DNS with the MX record pointing to an attacker-controlled mail server
  • Configure a catch-all email address to read all these “Stranded Emails”.

I like to call these “Stranded Emails”, just because I am a fan of Death Stranding and I am not a native English speaker, so I just make up words to sound like an intellectual.

The architecture of this setup is illustrated in the diagram below:

The green envelope is the original email sent to the wrong domain (mircosoft.com). The handsome hacker would catch that email, extract any sensitive information, if any or modify it and forward on.

All this sounds a bit cumbersome to do manually. Hence, this is where the tool Mail-in-the-Middle can help you, which automates this process.

Let’s dig into how to set up the environment and use the tool.

Infrastructure Preparation

As I’ve mentioned before, registering domains that are typo’s of the target’s domain (mostly domains that you would type if you fat-fingered an email address) is key. There are tools, such as dnstwist that can help you with discovering good domains to look at. For example, if the target was mydomain.com, you would register domains like mydoain.com, mydomian.com or mdyomian.com.

Once we have registered a good number of these domains, we set the MX DNS records of all these domains to point to our mailbox. Following on our earlier example, querying the MX records of the domain using dig would return something like the following (a good tip to check for this if you are on the blue team and suspect something weird is going on!):

$ dig mydoain.com mx +short
10 mail.attacker.com.

Now, configure a catch-all rule on the server to forward any email coming to a non-existent recipient to another trap email, for example to blackhole@attacker.com.

With a catch-all configured, if I go to our servers webmail, I often see plenty of rubbish and spam clogging my inbox. This is a good sign, the catch-all rule is working. You could expect like 5% of these emails to be useful (aka: not spam).

Meeting invite including a passcode and details about the agenda

Invoice for SAP sent to the wrong recipient

Automation

The objective of Maitm is to reduce my workload by automating the delivery of the spear-phishing style campaigns at scale.

The main ingredients of my tool were a handful of imap-tools, a pinch of discord-webhook and a spoonful of BeautifulSoup4. We mix all this magic in a hot pot and now the attacker can rely on a script to do automatic email modification and forwarding to intended users, all while they are relaxing:

Simply put, the script is an infinite loop with the following logic:

Depending on the configuration you have set, the flow should be similar to the following:

  • Login to a mailbox via SMTP and IMAP (defined in auth.yml).
  • List emails, new or all (defined by the CLI argument -n).
  • Filter emails you want (defined in filter.yml)
  • Inject a tracking URL (if defined in injections.yml)
  • Inject a UNC path as image to exfiltrate NetNTLM hashes (if defined injections.yml)

[...]

Original source

Reply