We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Email authentication for penetration testers

9
 Zitieren
 Teilen
 Zugehöriges Material
 Herunterladen
 Bestellen
Logo von Chaos Computer Club e.V.Chaos Computer Club e.V.
 Konstantinov, Andrew

Formale Metadaten

Titel
Email authentication for penetration testers
Untertitel
When SPF is not enough
Serientitel
Anzahl der Teile
254
Autor
Lizenz
CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Forget look-alike domains, typosquatting and homograph attacks. In this talk we will discuss ways of forging perfect email counterfeits that (as far as recipients can tell) appear to be coming from well-known domain and successfully pass all checks on their way. Prime focus of this talk will be modern anti-spoofing strategies and the ways around them. Join us as we try to figure out answers to questions such as "Isn't SPF enough?", "Do I *really* need DMARC?" and "Does ticking all three (SPF, DKIM, DMARC) provide the best protection possible?" (answers to these questions are "no", "yes", "no" by the way). Email security is poorly covered by a contemporary penetration testing curricula. In this talk I will argue that it leads to underreporting of email-related security issues during regular penetration tests or red team assignments. Getting clicks from (at least some) users is usually fairly easy, even with obviously fake domain names and email addresses, so penetration testers rarely need to do anything more fancy in order to achieve their objective. While this highlights the need for user education, it misses common misconfiguration issues that might lead to much more devastating compromises and could instill false sense of security in (rare) cases that regular phishing attacks fail. Technically inclined users (such as developers, tech support or even SIEM analysts) are less likely than others to fall for phishing email originating from fake domain, but they are actually more likely to fall for email seemingly originating from real known-good source due to overconfidence. In this talk we will see just how easy is it to send spoofed mail from arbitrary source address due to lack of protection for this scenario in original SMTP spec. We won't stop there however and our next object of focus will be contemporary anti-spoofing technologies (SPF, DKIM and DMARC). We will discuss motivation behind them, their technical limitations, weaknesses discovered in recent years as well as common misconfigurations. Attendees will gain knowledge about relevant protocols and technologies that should be applicable for identifying weaknesses in the architecture of their own email systems.
Schlagwörter