Categories
Easy Phish / hosaka: 11:59 14/01/2020 / Category: Infosec  

Brief

"Customers of secure-startup.com have been recieving some very convincing phishing emails, can you figure out why?"

Recon

I initially visited the secure-startup.com domain but found this to be a GoDaddy parked domain. With no website to explore my next thought turned to enumerating the secure-startup.com domain using dig (domain internet groper)

dig secure-startup.com ANY

;; ANSWER SECTION:
secure-startup.com. 20  IN  A   184.168.221.59
secure-startup.com. 3039    IN  NS  ns70.domaincontrol.com.
secure-startup.com. 3039    IN  NS  ns69.domaincontrol.com.
secure-startup.com. 3039    IN  SOA ns69.domaincontrol.com. dns.jomax.net. 2019032504 28800 7200 604800 600
secure-startup.com. 1212    IN  TXT "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"

Second Piece

After trying the TXT record HTB{RIP_SPF_Always_2nd and appending } it became clear that this was the first half of a two piece flag.

The clue to the next half is in the first half of the flag SPF.

Detecting E-Mail Forgery

Sender Policy Framework (SPF)

"SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators.[3] The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain."

https://en.wikipedia.org/wiki/Sender_Policy_Framework

This authorized host list can be queried with dig

dig _spf.secure-startup.com

Domain-Based Message Authentication, Reporting & Conformance (DMARC)

As stated in the Wikipedia article for SPF

"Only in combination with DMARC can it be used to detect the forging of the visible sender in emails (email spoofing[2]), a technique often used in phishing and email spam."

And from the Wikipedia article for DMARC

https://en.wikipedia.org/wiki/DMARC

"DMARC extends two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the From: field presented to end users; how the receiver should deal with failures - and a reporting mechanism for actions performed under those policies.

DMARC is defined in RFC 7489, dated March 2015, as "Informational".[1] "

To query the DMARC record:

dig _dmarc.secure-startup.com

;; ANSWER SECTION:
_dmarc.secure-startup.com. 300  IN  TXT "v=DMARC1;p=none;_F1ddl3_2_DMARC}"

Fin

Combining the DMARC flag gives the result:

HTB{RIP_SPF_Always_2nd_F1ddl3_2_DMARC}

Further useful information:

https://wordtothewise.com/2014/06/authenticating-spf/

https://dmarcian.com/spf-syntax-table/#all

Query DKIM record:

dig google._domainkey.[hostname].com TXT

;; ANSWER SECTION:
google._domainkey.[redacted].com. 300 IN TXT    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs2u2EDO1Lh97aEQWmJAoNQAQ6doPxwfDzyADasSVk+e4zPxpxd842aJgA1WdZoUAxRFXzwI2CHQ+4Gvu7p/IqDdCyaeFZmk5coZZ3OEUYNkonX81SJ0moFvxvorujgIDh2bexO3w+FLDZn2Y4kpnWAJL+MfqOqCzCznfCTeQG2wIDAQAB"

Note: The selector, in this case "google" is arbitrary and must be known