王昊与凯莱布·萨金特与哈里森·波默罗伊与雷纳娜·弗里德利希_进入收件箱新颖的电子邮件欺骗攻击模式.pdf

1、Into the Inbox:Novel Email Spoofing Attack PatternsSpeakers:Caleb Sargent&Hao Wang#BHUSA BlackHatEventsAbout UsCaleb Sargent(squared_)Offensive Security EngineerHao Wang(MrRed_Panda)Offensive Security Manager#BHUSA BlackHatEventsDisclaimerThe ideas,content,or opinions expressed in this presentation

2、are solely those of the author and do not reflect any endorsement or support by our employer.#BHUSA BlackHatEventsAgendaStory Time1Email Security Basics2Attack Patterns3Next Steps4Recommendations5#BHUSA BlackHatEventsEver been pranked?#BHUSA BlackHatEventsCrafting the ultimate Prank.#BHUSA BlackHatE

3、ventsFiguring out how to send an email#BHUSA BlackHatEventsTesting if this works#BHUSA BlackHatEventsDMARC all passes#BHUSA BlackHatEventsExecuting the prankAS SEEN INATTACK PATTERN 2#BHUSA BlackHatEventsThe Aftermath.#BHUSA BlackHatEventsStanding on the shoulders of giantsReference:https:/forum.def

4、con.org/node/245722Reference:https:/sec- Smuggling 37C3Millions of domains affectedTimo Longin from SEC ConsultSpamChannel DEFCON 31Two million domains affectedMarcello byt3bl33d3r Salvati#BHUSA BlackHatEventsSPF/DKIM/DMARCv SPFq Verify Sender IP based on TXT record of domain via MAIL FROM/HELOv DKI

5、Mq Verify email based on the added DKIM signaturev DMARCq Tell email receivers on how to handle unauthenticated emailsq Verify SPF or DKIM based on the domain passed via FROMq DMARC RFC 7489:Reference:https:/www.rfc-editor.org/rfc/rfc7489.htmlDMARCs filtering function is based on whether the RFC5322

6、.From field domain is aligned with(matches)an authenticated domain name from SPF or DKIM.#BHUSA BlackHatEventsHELO MAIL FROM:RCPT TO:EnvelopeDATAFROM:TO:Subject:Hello WorldDKIM-Signature:v1;d=;h=ContentMessageSample SMTP flowSPFDKIMDMARCVerify sender IP based onMAIL FROM or HELOVerify SPFORDKIM base