A redirect is a pointer to another domain name that hosts an SPF policy, it allows for multiple domains to share the same SPF policy. It is useful when working with a large amount of domains that share the same email infrastructure.
It SPF policy of the domain indicated in the redirect Mechanism will be used.
| It's also possible to identify **Qualifier**s that indicates **what should be done if a mechanism is matched**. By default, the **qualifier "+"** is used (so if any mechanism is matched, that means it's allowed).\ You usually will note **at the end of each SPF policy** something like: **\~all** or **-all**. This is used to indicate that **if the sender doesn't match any SPF policy, you should tag the email as untrusted (\~) or reject (-) the email.** #### Qualifiers Each mechanism can be combined with one of four qualifiers: * **`+`** for a PASS result. This can be omitted; e.g., `+mx` is the same as `mx`. * **`?`** for a NEUTRAL result interpreted like NONE (no policy). * **`~`** (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged. * **`-`** (minus) for FAIL, the mail should be rejected (see below). In the following example you can read the **SPF policy of google.com**. Note how the **first SPF policy includes SPF policies of other domains:** ``` kali@kali:~$ dig txt google.com | grep spf google.com. 235 IN TXT "v=spf1 include:_spf.google.com ~all" kali@kali:~$ dig txt _spf.google.com | grep spf ; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> txt _spf.google.com ;_spf.google.com. IN TXT _spf.google.com. 235 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" kali@kali:~$ dig txt _netblocks.google.com | grep spf _netblocks.google.com. 1606 IN TXT "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all" kali@kali:~$ dig txt _netblocks2.google.com | grep spf _netblocks2.google.com. 1908 IN TXT "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all" kali@kali:~$ dig txt _netblocks3.google.com | grep spf _netblocks3.google.com. 1903 IN TXT "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all" ``` Traditionally it was possible to spoof any domain name that didn't have a correct/any SPF record. **Nowadays**, if **email** comes from a **domain without a valid SPF record** is probably going to be **rejected/marked as untrusted automatically**. To check the SPF of a domain you can use online tools like: [https://www.kitterman.com/spf/validate.html](https://www.kitterman.com/spf/validate.html) ### DKIM DomainKeys Identified Mail (DKIM) is a mechanism by which **outbound email is signed and validated by foreign MTAs upon retrieving a domain’s public key via DNS**. The DKIM public key is held within a TXT record for a domain; however, you must know both the selector and domain name to retrieve it. Then, to ask for the key you need the domain name and the selector of the mail from the mail header `DKIM-Signature` for example: `d=gmail.com;s=20120113` ``` dig 20120113._domainkey.gmail.com TXT | grep p= 20120113._domainkey.gmail.com. 280 IN TXT "k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg KCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3 ``` ### DMARC Domain-based Message Authentication, Reporting & Conformance (DMARC) is a method of mail authentication that expands upon SPF and DKIM. Policies instruct mail servers how to process email for a given domain and report upon actions performed. ![](<../../.gitbook/assets/image (134).png>) **To obtain the DMARC record, you need to query the subdomain \_dmarc** ``` root@kali:~# dig _dmarc.yahoo.com txt | grep DMARC _dmarc.yahoo.com. 1785 IN TXT "v=DMARC1\; p=reject\; sp=none\; pct=100\; rua=mailto:dmarc-yahoo-rua@yahoo-inc.com, mailto:dmarc_y_rua@yahoo.com\;" root@kali:~# dig _dmarc.google.com txt | grep DMARC _dmarc.google.com. 600 IN TXT "v=DMARC1\; p=quarantine\; rua=mailto:mailauth-reports@google.com" root@kali:~# dig _dmarc.paypal.com txt | grep DMARC _dmarc.paypal.com. 300 IN TXT "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com" ``` PayPal and Yahoo instruct mail servers to reject messages that contain invalid DKIM signatures or do not originate from their networks. Notifications are then sent to the respective email addresses within each organization. Google is configured in a similar way, although it instructs mail servers to quarantine messages and not outright reject them. #### DMARC tags | Tag Name | Purpose | Sample | | -------- | --------------------------------------------- | ------------------------------- | | v | Protocol version | v=DMARC1 | | pct | Percentage of messages subjected to filtering | pct=20 | | ruf | Reporting URI for forensic reports | ruf=mailto:authfail@example.com | | rua | Reporting URI of aggregate reports | rua=mailto:aggrep@example.com | | p | Policy for organizational domain | p=quarantine | | sp | Policy for subdomains of the OD | sp=reject | | adkim | Alignment mode for DKIM | adkim=s | | aspf | Alignment mode for SPF | aspf=r | ### **What about Subdomains?** **From** [**here**](https://serverfault.com/questions/322949/do-spf-records-for-primary-domain-apply-to-subdomains)**.**\ You need to have separate SPF records for each subdomain you wish to send mail from.\ The following was originally posted on openspf.org, which used to be a great resource for this kind of thing. > The Demon Question: What about subdomains? > > If I get mail from pielovers.demon.co.uk, and there's no SPF data for pielovers, should I go back one level and test SPF for demon.co.uk? No. Each subdomain at Demon is a different customer, and each customer might have their own policy. It wouldn't make sense for Demon's policy to apply to all its customers by default; if Demon wants to do that, it can set up SPF records for each subdomain. > > So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record. > > Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: \* IN TXT "v=spf1 -all" This makes sense - a subdomain may very well be in a different geographical location and have a very different SPF definition. ### **Tools** * [**https://github.com/serain/mailspoof**](https://github.com/serain/mailspoof) **Check for SPF and DMARC misconfigurations** * [**https://pypi.org/project/checkdmarc/**](https://pypi.org/project/checkdmarc/) **Automatically get SPF and DMARC configs** You can attack some **characteristics** of **mail clients** to make the user think that the **mail** is **coming** from **any address**, more info: [**https://www.mailsploit.com/index**](https://www.mailsploit.com/index) ### **Check Spoofing** You can use the online tool [http://www.anonymailer.net/](http://www.anonymailer.net) and [https://emkei.cz/](https://emkei.cz/) to send you an email spoofing an address and check if reaches you email. ### **More info** **Find more information about these protections in** [**https://seanthegeek.net/459/demystifying-dmarc/**](https://seanthegeek.net/459/demystifying-dmarc/) ### **Other phishing indicators** * Domain’s age * Links pointing to IP addresses * Link manipulation techniques * Suspicious (uncommon) attachments * Broken email content * Values used that are different to those of the mail headers * Existence of a valid and trusted SSL certificate * Submission of the page to web content filtering sites ## Exfiltration through SMTP **If you can send data via SMTP** [**read this**](../../generic-methodologies-and-resources/exfiltration.md#smtp)**.** ## Config file ### Postfix Usually, if installed, in `/etc/postfix/master.cf` contains **scripts to execute** when for example a new mail is receipted by a user. For example the line `flags=Rq user=mark argv=/etc/postfix/filtering-f ${sender} -- ${recipient}` means that `/etc/postfix/filtering` will be executed if a new mail is received by the user mark. Other config files: ``` sendmail.cf submit.cf ``` ## HackTricks Automatic Commands ``` Protocol_Name: SMTP #Protocol Abbreviation if there is one. Port_Number: 25,465,587 #Comma separated if there is more than one. Protocol_Description: Simple Mail Transfer Protocol #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for SMTP Note: | SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. https://book.hacktricks.xyz/pentesting/pentesting-smtp Entry_2: Name: Banner Grab Description: Grab SMTP Banner Command: nc -vn {IP} 25 Entry_3: Name: SMTP Vuln Scan Description: SMTP Vuln Scan With Nmap Command: nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 {IP} Entry_4: Name: SMTP User Enum Description: Enumerate uses with smtp-user-enum Command: smtp-user-enum -M VRFY -U {Big_Userlist} -t {IP} Entry_5: Name: SMTPS Connect Description: Attempt to connect to SMTPS two different ways Command: openssl s_client -crlf -connect {IP}:465 &&&& openssl s_client -starttls smtp -crlf -connect {IP}:587 Entry_6: Name: Find MX Servers Description: Find MX servers of an organization Command: dig +short mx {Domain_Name} Entry_7: Name: Hydra Brute Force Description: Need Nothing Command: hydra -P {Big_Passwordlist} {IP} smtp -V Entry_8: Name: consolesless mfs enumeration Description: SMTP enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_version; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_ntlm_domain; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_relay; set RHOSTS {IP}; set RPORT 25; run; exit' ```