Tuesday 25 March 2014

Hacking Email Filtering Appliances and Solutions - talks and tools

I recently presented at Hackcon in Oslo Norway, and at IT-Defense in Cologne, Germany; on the subject of "Hacking Email Filtering Appliances and Solutions"

I briefly talked about some of the vulnerabilities I have previously found in Security Appliances, but talked in much more detail about recent research I have been developing for automated enumeration of email filtering services, products and policies (offensively, from the outside).

Specifically, I talked about the enumeration techniques, and how this information could be used by malicious hackers to improve the efficiency of attacks against organizations. This type of automated reconnaissance can be combined with Phishing attacks and to quickly find and exploit vulnerable systems and users.

Feedback from both these talks has been very good, and I am planning to release tools, and a white paper over the coming months.

I have been developing MailFEET, an enumeration tool with defense in mind, to enable organizations to identify weakness in their email filtering solutions. I have tested this tool with hundreds of domains, to find some of the most common policy bypasses, and we have used these techniques with several of our customers recently to help them identify and close such loopholes.

In terms of the loopholes, well, there are a lot, and I will probably talk about that more in a future post, but for a brief three bullet-point summary:

  • Most email filtering solutions do not block embedded executable code or scripts in office documents.
  • Almost all companies tested had no filtering for common encrypted attachments (password protected office documents or zip files for example).
  • A small but significant percentage of organizations had direct bypasses in their email filtering (i.e. in around 5% - 10 % of cases, it was possible to directly deliver to relays or mail-servers behind the filtering solution, by enumerating the relevant IPs from SMTP header information).

Tools I am currently working on include:

MailFEET - Mail Filter External Enumeration Tool - For finding vulnerable email filtering products, and flaws or bypasses in email filtering policy (written in Python and SQLite) - This just needs tidying up a bit before release.

DAPHT - Document and Archive Payload Hiding Tool - For automatically embedding test payloads in a variety of formats, to hide them from most email and web filtering solutions (written in C#).

WebFEET - Web Filter External Enumeration Tool - For finding vulnerable web filtering products, and flaws or bypasses in web filtering policy (early days of a work in progress - probably will be mainly JavaScript, PHP and SQLite)