Kali Linux

Espoofer : An Email Spoofing Testing Tool That Aims To Bypass SPF/DKIM/DMARC

Espoofer is an open-source testing tool to bypass SPF, DKIM, and DMARC authentication in email systems. It helps mail server administrators and penetration testers to check whether the target email server and client are vulnerable to email spoofing attacks or can be abused to send spoofing emails.

Why build this tool?

Email spoofing is a big threat to both individuals and organizations (Yahoo breach, John podesta). To address this problem, modern email services and websites employ authentication protocols — SPF, DKIM, and DMARC — to prevent email forgery.

Our latest research shows that the implementation of those protocols suffers a number of security issues, which can be exploited to bypass SPF/DKIM/DMARC protections. Figure 1 demonstrates one of our spoofing attacks to bypass DKIM and DMARC in Gmail. For more technical details, please see our Black Hat USA 2020 talk (with presentation video) or USENIX security 2020 paper.

Black Hat USA 2020 slides (PDF): You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication
USENIX security 2020 paper (PDF): Composition Kills: A Case Study of Email Sender Authentication
- Distinguished Paper Award Winner

In this repo, we summarize all test cases we found and integrate them into this tool to help administrators and security-practitioners quickly identify and locate such security issues.Please use the following citation if you do scentific research (Click me).

Installation

Download this tool

git clone https://github.com/chenjj/espoofer

Install dependencies

sudo pip3 install -r requirements.txt

Usage

espoofer has three work modes: server (‘s’, default mode), client (‘c’) and manual (‘m’). In server mode, espoofer works like a mail server to test validation in receiving services. In client mode, espoofer works as an email client to test validation in sending services. Manual mode is used for debug purposes.

Server mode

To run espoofer in server mode, you need to have: 1) an IP address (1.2.3.4), which outgoing port 25 is not blocked by the ISP, and 2) a domain (attack.com).

Domain configuration

Set DKIM public key for attack.com

selector._domainkey.attacker.com TXT “v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNjwdrmp/gcbKLaGQfRZk+LJ6XOWuQXkAOa/lI1En4t4sLuWiKiL6hACqMrsKQ8XfgqN76mmx4CHWn2VqVewFh7QTvshGLywWwrAJZdQ4KTlfR/2EwAlrItndijOfr2tpZRgP0nTY6saktkhQdwrk3U0SZmG7U8L9IPj7ZwPKGvQIDAQAB”

Set SPF record for attack.com

attack.com TXT “v=spf1 ip4:1.2.3.4 +all”

Configure the tool in config.py

config ={
“attacker_site”: b”attack.com”, # attack.com
“legitimate_site_address”: b”admin@bank.com”, # legitimate.com
“victim_address”: b”victim@victim.com”, # victim@victim.com
“case_id”: b”server_a1″, # server_a1
}

You can list find the case_id of all test cases using -l option:

python3 espoofer.py -l

You can change case_id in the config.py or use -id option in the command line to test different cases:

python3 espoofer.py -id server_a1

Client mode

To run epsoofer in client mode, you need to have an account on the target email services. This attack exploits the failure of some email services to perform sufficient validation of emails received from local MUAs. For example, attacker@gmail.com tries to impersonate admin@gmail.com.

Configure the tool in config.py

config ={
“legitimate_site_address”: b”admin@gmail.com”,
“victim_address”: b”victim@victim.com”,
“case_id”: b”client_a1″,
“client_mode”: {
“sending_server”: (“smtp.gmail.com”, 587), # SMTP sending serve ip and port
“username”: b”attacker@gmail.com”, # Your account username and password
“password”: b”your_passward_here”,
},
}

You can list find the case_id of all test cases using -l option:

python3 espoofer.py -l

Note: sending_server should be the SMTP sending server address, not the receiving server address.