Phishing is a ray of light when every attempt to breach an organization fails. However, setting up a covert SMTP infrastructure for phishing is a time consuming and painful process. By a covert SMTP infrastructure, I mean an infrastructure:
- which has an ability to evade detection; typically to throw off blue teams
- which has resilience; to spin up a new infra quickly
Obviously, instead of setting up your own infrastructure, you can use third party services such as Sendgrid, Elastic Email, etc. , but these have their own constraints such as:
- Inability to have granular control over the IP assignment: In many cases IP address assigned to the SMTP server has a poor reputation, compromising success rate of your phishing campaign
- Rate limiting: Most of the vendors implement rate limiting controls when sending emails, especially for a newly created accounts
- Account suspension: Personally, I have faced this issue multiple times, wherein, your account gets suspended as suspicious activity is detected from your account, which you cannot argue with !
I tasked myself to setup an SMTP infra recently for a red team engagement. I referenced a lot of good resources but till the time of writing this post, I could not find a guide to setup and end to end infrastructure which ensures email delivery (though email delivery depends upon many factors apart from SMTP configuration which are out of scope of this post).
In this series, I will cover complete setup of a covert infrastructure which has the following key highlights:
- Entire infrastructure will be a setup on DigitalOcean cloud environment
- For a newly configured domain and basic HTML email content, the email score should be near perfect, e.g. scoring 9 out of 10 on a popular email spam check portals such as https://www.mail-tester.com/
- Redirector will be used to hide the identity of backend SMTP server
Let’s talk about the design and components of the infrastructure.
Let’s explore all the components in the figure:
- Attacker: It’s an attacker who will send an email by connecting to the SMTP server. In this case, the attacker connects with the core SMTP server.
- Core SMTP server: This is the SMTP server that we use as a backend SMTP server. Details are below:
- Attacker connects to this server to send the email to the target.
- It is integrated with the relay server. So, instead of sending the emails directly to the victim, the emails are relayed via the redirector server.
- Redirector server: This is the SMTP server which acts as a buffer between the victim and the core SMTP server. The purpose of this server, as mentioned earlier, is to evade detection and maintain resiliency, in case this server is blacklisted by the blue teams such as SOC.
- Target: An email is received by the victim. Once the configuration and setup is proper:
- The victim will not be able to trace the identity of the core SMTP server.
- Traffic and header analysis will only show communication with the redirector server.
What will this series cover
Now that we have laid down the vision, let us get started with setup on the infrastructure. The process of setting up the infrastructure will be as follows:
- Core SMTP server Setup
- Setting DNS Records
- Other Major Considerations
- Pilot Run
- Setup of SMTP redirector
- Integration of SMTP redirector with core SMTP server
- Configuration changes to conceal the identity of our core (backend) SMTP server
In this first part, we will be cover from point 1 to point 4. The remaining areas will be covered in the next part.
Core SMTP server setup
Lets dive into setup of the core SMTP server. I have provisioned an Ubuntu 18.04 LTS droplet on DigitalOcean for this. For the entire series, I will refer to this machine as “coremx”, which denotes our core SMTP server. The setup goes as follows:
Installing a mail server solution
For this, we are going to use iRedMail, which is a full fledged email server solution. This will give us a nice web front end to configure the mail server and will also install all other necessary components. Following are the open-source components that are integrated in iRedMail:
I won’t walk you through the steps for installation of iRedMail. You can follow https://docs.iredmail.org/install.iredmail.on.debian.ubuntu.html for a detail guide on installing iRedMail
I will use my domain “mosunit.com” for the setup. Post completion of the installation, I get the following output:
Setting DNS records
Once you have installed the iRedAdmin, essential email services such as Postfix, etc. have been installed too. The next step is to work on the DNS records which will essentially decide whether your email will land in the Inbox or not. Specifically, we will be setting the below records:
An “A” record simply points a fully qualified domain name to an IP address. To access the above created URLs by iRedAdmin ( https://coremx.mosunit.com/iredadmin/, etc.), we need to add an A record pointing coremx.mosunit.com to our droplet’s IP which is running iRedAdmin. I am using Godaddy and an “A” record will look like this:
An “MX” records tells the world the email server they need to contact to send an email to your domain. In this case, we need to advertise an MX record for domain “mosunit.com”. This will again be the IP address on which our mail service is running.
An “SPF” record verifies if the email is received from an approved list of sender. For a domain, the owner publishes a list of approved senders. The receiving mail server does the following:
- checks the “Return-Path” message header to extract the domain
- checks the SPF TXT record for that domain
- validates if the sender IP address is in list of approved list of senders in SPF
You can use https://mxtoolbox.com/SPFRecordGenerator.aspx to generate an SPF record.
DKIM is an email authentication mechanism to detect email spoofing. It allows receiver to verify if the email is coming from a domain who is an authorized owner of the domain.
For each outgoing message, a private key is used to generate a DKIM signature. The owner of the domain publishes the public key as DNS TXT record. Once the receiver receives the message, it queries the DNS record to retrieve the public key. This public key is then used decode the signature and verify if the message is from a genuine sender or if someone is spoofing your domain
Note that as we configured mosunit.com while installation of iRedAdmin, the DKIM keys are already generated. For a new domain, you will first need to generate the DKIM keys. Refer to https://docs.iredmail.org/sign.dkim.signature.for.new.domain.html for detailed steps.
Lets look at the steps to configure DKIM for domain mosunit.com
Once I login into coremx, I ran the
amavisd-new showkeys to list the keys:
From this output, we need to extract the data within the
() block, but we need to remove the quotes. The extracted value is the DKIM DNS record. The output will look something like this.
Now, we need to to add this record in the domain. Note that the name of the DNS record is
dkim._domainkey. This is also called DKIM selector.
I verified if DKIM had been configured correctly by
amavisd-new testkeys running on the coremx, and got the following output:
You can also verify the DKIM record via https://www.dmarcanalyzer.com/dkim/dkim-check/. It analyses the record such as key strength, configuration of tags used, etc.
Quoting from Microsoft, Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks,
To state the working of DMARC more precisely, DMARC tests and enforces identifier alignment. Few key points to consider are below:
- Identifiers are SPF and DKIM records.
- Authenticated identifiers are checked against mail user agent(MUA) visible “RFC5322.From” domain. Only one authenticated identifier has to align for the email to be considered in alignment.
- DMARC has a concept of aligned and unalinged emails, which will not be covered in detail in this post. Aligned mails are delivered to the user mailbox and actions are taken on unalingned emails, based upon directive set by the domain authority via DMARC DNS record.
I understand that the working of DMARC can be hard to grasp at first and I would suggest you visit https://www.m3aawg.org/activities/training/dmarc-training-series for detailed insight in working on DMARC.
DMARC is set as a TXT record and you can generate the DMARC record using https://mxtoolbox.com/DMARCRecordGenerator.aspx. I created the following basic DMARC record.
Type: TXT Host/Name: _DMARC.mosunit.com Value: v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com
The record states the following:
- As the value of “p” is set to “none”, the sender does not want any action by the receiver on unaligned incoming emails. DMARC is only set to monitoring mode. Other options are either to “quarantine” or “reject” the unaligned emails.
- Aggregate and forensic reports are to be sent to firstname.lastname@example.org
The record looks like this in the DNS manager:
We have now setup all DNS records which are essential for our email delivery. Let’s jump to next section now, which includes other necessary conditions that need to be met for successful delivery.
Other Major Considerations
A reverse DNS record (rDNS) identifies a domain associated with an IP address. An SMTP server IP address without a rDNS record will most likely be flagged by receiver’s anti-spam engine and connections from that SMTP server will be blocked. Thus, passing an rDNS check is must for a successful mail delivery.
Setting a PTR record in DigitalOcean is pretty straightforward. You just need to change the name of the droplet to a fully qualified domain name (FQDN). Once changed, the PTR record is set using the name of the droplet.
In my case, once I changed the name of core SMTP droplet to coremx.mosunit.com, the PTR record was updated within seconds.
SMTP Server IP Blacklist Check
The IP address of the SMTP server is one of the key deciding factor whether your email will be delivered or not. IP reputation is checked by the receiver and if found in any known blacklists, the email is blocked on the gateway itself and never sees the light of the user mailbox.
Once you provision a new droplet, check the public IP assigned against known blacklists. You can use MXToolbox’s blacklist check (https://mxtoolbox.com/blacklists.aspx) for this. If you find your IP address on a blacklist, you can either provision a new droplet or submit your public IP address for delisting. The following snippet shows the blacklist check for 188.8.131.52 (coremx.mosunit.com)
Validation of configuration
We have successfully configured all the parameters and we are ready to start sending emails and analyze the results. Before you do that, I will suggest that you run diagnostic checks on your domain to ensure that the overall setup is free from any caveats and you have not missed anything. One of the ways you can do this is using MXToolbox’s Domain Heath Report (https://mxtoolbox.com/domain).
It will highlight any error associated with your domain. We are mostly interested in DNS, Mail Server and Blacklist check results.
Now that we have the setup ready, lets send an email and check if the configuration is optimal and if the email lands in the mailbox. You can use RoundCube email client installed during the iRedMail installation. It could be found at https://<yourdomain.com>/mail/
To test how well your email scores in terms and if at all it will be delivered in a user’s mailbox, you can use a service such as http://www.mail-tester.com/. It evaluates the email headers as well as content on parameters such as IP address reputation, SPM/DKIM/DMARC check results, etc. and generates a SPAM score.
As shown below, an email was sent to Mail Tester and the email got a perfect score of 10/10.
You can also send an email to a genuine user ID, and most likely if the score is 10/10, your email will be delivered in the Inbox.
Once the email is sent, irrespective of whether it is delivered or not, it comes under the scanner as soon as it is sent. The email will be scanned and analyzed by email gateways, endpoint solutions, blue teams, etc. Once the email is flagged, the domain as well the originating IP address will be blocked/blacklisted. The blacklist details will then be updated in the reputation lists and anyone using those reputation lists to make decision on incoming emails will block them.
The following is the header of an email that was sent to an Office365 domain. The original email ID and domain of the recipient has been replaced with random text.
Received: from BM1PR0101MB1107.INDPRD01.PROD.OUTLOOK.COM (2603:1096:b00::24) by BM1PR01MB3585.INDPRD01.PROD.OUTLOOK.COM with HTTPS via BM1PR01CA0108.INDPRD01.PROD.OUTLOOK.COM; Tue, 28 Apr 2020 06:58:49 +0000 Received: from PN1PR01CA0080.INDPRD01.PROD.OUTLOOK.COM (2603:1096:c00:1::20) by BM1PR0101MB1107.INDPRD01.PROD.OUTLOOK.COM (2603:1096:b00:22::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Tue, 28 Apr 2020 06:58:49 +0000 Received: from BO1IND01FT008.eop-IND01.prod.protection.outlook.com (2603:1096:c00:1:cafe::e1) by PN1PR01CA0080.outlook.office365.com (2603:1096:c00:1::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Tue, 28 Apr 2020 06:58:49 +0000 Authentication-Results: spf=pass (sender IP is 184.108.40.206) smtp.mailfrom=mosunit.com; yourcompany.com; dkim=pass (signature was verified) header.d=mosunit.com;yourcompany.com; dmarc=pass action=none header.from=mosunit.com;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of mosunit.com designates 220.127.116.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.104.22.168; helo=coremx.mosunit.com; Received: from coremx.mosunit.com (22.214.171.124) by BO1IND01FT008.mail.protection.outlook.com (10.152.202.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.15 via Frontend Transport; Tue, 28 Apr 2020 06:58:48 +0000 Received: from coremx.mosunit.com (coremx.mosunit.com [127.0.0.1]) by coremx.mosunit.com (Postfix) with ESMTP id 49BCD62F1NzChZN for <email@example.com>; Tue, 28 Apr 2020 06:58:46 +0000 (UTC) Authentication-Results-Original: coremx.mosunit.com (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=mosunit.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mosunit.com; h= content-transfer-encoding:content-type:message-id:user-agent :references:in-reply-to:subject:to:from:date:mime-version; s= dkim; t=1588057124; x=1590649125; bh=EH2Lk7nEJ4MFxjQukbUATa9TFyl lOFrVLWlE8cV0mlY=; b=WBoR4eqxAndlJBIACiozsEE7kJYcCa8koE0YYSz/y1I c0b4yTR8QAsADl98vFXIC+Y/V4+Kg2/5THU3cMSIYM7qnHw9wHy2BveOq6uo0oq3 48iLpZswu+k7JQMjA24KV4vRQJP7j1VSXsAuyfksp+jC2+McHeIpw+V7IGQNmU5A = X-Virus-Scanned: Debian amavisd-new at coremx.mosunit.com Received: from coremx.mosunit.com ([127.0.0.1]) by coremx.mosunit.com (coremx.mosunit.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id N1QcZSLhMpxu for <firstname.lastname@example.org>; Tue, 28 Apr 2020 06:58:44 +0000 (UTC) Received: from localhost (coremx.mosunit.com [127.0.0.1]) by coremx.mosunit.com (Postfix) with ESMTPSA id 49BCD36fZXzChZL for <email@example.com>; Tue, 28 Apr 2020 06:58:43 +0000 (UTC) MIME-Version: 1.0 Date: Tue, 28 Apr 2020 12:28:43 +0530 From: IT Support <firstname.lastname@example.org> To: email@example.com Subject: Fwd: Notification from Support team In-Reply-To: <firstname.lastname@example.org> References: <email@example.com> <firstname.lastname@example.org> User-Agent: Roundcube Webmail Message-ID: <email@example.com> X-Sender: firstname.lastname@example.org Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: quoted-printable Return-Path: email@example.com X-MS-Exchange-Organization-ExpirationStartTime: 28 Apr 2020 06:58:48.4968 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: fbf9b832-4876-42c2-d480-08d7eb4199fa X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 5519d103-66f6-4b0d-979f-35c233b454ed:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-Forefront-Antispam-Report: CIP:126.96.36.199;CTRY:US;LANG:en;SCL:6;SRV:;IPV:NLI;SFV:SPM;H:coremx.mosunit.com;PTR:coremx.mosunit.com;CAT:SPM;SFTY:;SFS:(10001);DIR:INB;SFP:; X-MS-Exchange-Organization-AuthSource: BO1IND01FT008.eop-IND01.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: fbf9b832-4876-42c2-d480-08d7eb4199fa X-MS-TrafficTypeDiagnostic: BM1PR0101MB1107: X-MS-Oob-TLC-OOBClassifiers: OLM:4941; X-MS-Exchange-Organization-SCL: 6 X-Microsoft-Antispam: BCL:0; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2020 06:58:48.0620 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: fbf9b832-4876-42c2-d480-08d7eb4199fa X-MS-Exchange-CrossTenant-Id: 5519d103-66f6-4b0d-979f-35c233b454ed X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-Transport-CrossTenantHeadersStamped: BM1PR0101MB1107 X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.7107612 X-MS-Exchange-Processed-By-BccFoldering: 15.20.2937.014 X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:1;auth:0;dest:J;ENG:(20160513016)(750127)(520011016)(944506383)(944626516); X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?2buRJubIaficmR5RFZKPYJ94AjrVm9PrgBChsEszeGe6M6Zy87rqDD4eYtzX?= =?us-ascii?Q?XeOaMNwlMSIdrnDN9uHnfr4Q6OrN6D9Ao0q4B5XXVY6f3dud+F5fg6XXJ3Pq?= =?us-ascii?Q?lwVBsGNeI4nd1fwJwZraWMO+GBbSh8YJos4ROGu2oJ9gZMaHskXhPL1iTLT0?= =?us-ascii?Q?GTzDRoyGLxI71t3+S9Kb/cpUqf7OoHMp9nvqB8zF/mcug/QRrl3LcA4uoyKX?= =?us-ascii?Q?G56N/O0vxqDzymfF5B9hga13hHd9SA1fXDoU/WsJ3vLezI9TLf3DztyoCyYA?= =?us-ascii?Q?rLii7Y5+As07p5G/EGnfauWVd39wbsPftIU7fXqvNR2T74vSQv6pl3fE7Pmt?= =?us-ascii?Q?aKDQyRIM7SgY9kmjdXPB0IzDzIkTSvgFAB64Xl0+BoqalZin72qXKAo740xx?= =?us-ascii?Q?6y/m+xuYUVsf7hSonl1x02JBAOoJ2pDMfEYZTfs8N0tIqNlZG/Fq4V42hFwN?= =?us-ascii?Q?MrXEleUDRJgD2pQJ9s3aQS3V2d7LFvBJkRpMrnhw22gzekXP31izfvYtV1SF?= =?us-ascii?Q?2cfZWqylfz8Z24+8n1l3NLU4la3V40poCm/do+LnLs0DfTvM9wvR5PejkUh0?= =?us-ascii?Q?D11uMAO8GHDM5X5Kc5q2INVgKTjKy9P36dYTWlQKHyyw1pf7fQ34fe49FbWd?= =?us-ascii?Q?iGLGN7I2a82X1J5PaG1BDw6Sb49HD6JgxrbxPNr3OA3YgPzzt5B7HVxccQQp?= =?us-ascii?Q?kMLOH25TskyowUr59Wxs3g0WCA3U3FdzXcP97ZyL9MinhHkAbbN7quC9FEmx?= =?us-ascii?Q?2WPvAiXtojxH/OHlfP4xUsaeVxk6/luXv/XAU9g8Y3whmgIGMBL4pOsanjIA?= =?us-ascii?Q?l8mXyYyPwCCxP5IcHdsbNOgIZKmbSkj7jfYHqbpbWh26An9eaVLWNE9Gh+L1?= =?us-ascii?Q?5+KeoAOOP9hhrBINAQBjaiC7UZVFPMdd3OuYQb8hmPXVDZRD8qENhb8XI+H6?= =?us-ascii?Q?/AHnykzmYzoa07T7j3PUbFHvbkowMAWhOtIUdaOJjLCqaia/2lWHgda1MQeT?= =?us-ascii?Q?hXOoqh3apY2q28bV5OI+eiKKaaGJcRnk7oWYvVxIOo59gqQ7GYiCjoGzYISj?= =?us-ascii?Q?yPtr9nibjB3firW4eQwDZ+yDCIgz6/W/JNXaOFphyoQfbQCjsVecHbfp2Bkd?= =?us-ascii?Q?bwc9cJHpSzV+Vy+jRDv4vn/zyRFwo8HWXOWgqaVy80ClMoB94RS1tey0sPS5?= =?us-ascii?Q?mws5gWeLlHj+fbIpNqmefgMSnYSJlxRy2stwJLR/o+JcX1eKWo+tV8RLgjr+?= =?us-ascii?Q?BWZ0vnurxxHMbGPLpqkp3E4+Q6ozxGHlaKJisDuPOOlIe1DP8RhGR4VXV2c0?= =?us-ascii?Q?B3sp/Q+znfFxqj5rjtwTHNKdJH1eXEr6H/dHIqX29dRkMq590mRuZ6Z82orh?= =?us-ascii?Q?5go3gIXecYt1hcgeZxcAkUWOtOgKbLdMsvh7ebZ02ZopUeVO1IHA/2/wuYvh?= =?us-ascii?Q?MzIESh463zquGw9lfZgKV7RpI/pTOfTF17oJpHJhWbmPAHTCskEQEbA7SnHw?= =?us-ascii?Q?pZdxrRfAZd4zTv5yZDv9TM9gC53GhXeCW1Z8ePoihcXY9l6RLQzVxZ8vgMhY?= =?us-ascii?Q?1c6fw/XN06tqC2eW/HOWiIR3dpakSWZ/DAeOR+veRF4PczwicsxFIP71A+HK?= =?us-ascii?Q?3Pk4n2MtRWfWEckjS/xdgvgftZ5g6+ldSSxsCAx8UzSVBhZG6hsnofUNq0K8?= =?us-ascii?Q?OHUG8Xhvz//zT8Htxr+4t5ouIkk=3D?=
The header leaks the droplet’s IP address (188.8.131.52) as well the hostname (coremx.mosunit.com). The next part of the series will discuss how to mask these details using a redirector.
This blog is also hosted on my employer’s blog at https://niiconsulting.com/checkmate/2020/06/building-a-covert-smtp-infrastructure-part-i/
Thanks for reading.