Module todo: DMARK/DKIM/SPF

[TheTechromancer]

https://github.com/MattKeeley/Spoofy

Some basic examples, courtesy of chatgpt:

# Checking for common misconfigurations in SPF, DKIM, and DMARC records

def check_spf_misconfigurations(record):
    issues = []
    if 'all' in record:
        if '+all' in record:
            issues.append("SPF configured to allow all hosts.")
    return issues

def check_dkim_misconfigurations(record):
    issues = []
    if 'k=rsa;' not in record:
        issues.append("DKIM is not using RSA for signing.")
    return issues

def check_dmarc_misconfigurations(record):
    issues = []
    if 'p=none' in record:
        issues.append("DMARC policy is set to 'none'.")
    return issues

def check_email_security(domain):
    all_issues = {}

    # Check SPF record
    spf_issues = []
    try:
        spf_record = dns.resolver.resolve(domain, 'TXT')
        spf_text = [r.to_text() for r in spf_record if 'v=spf1' in r.to_text()][0]
        spf_issues = check_spf_misconfigurations(spf_text)
    except dns.resolver.NoAnswer:
        spf_issues.append("No SPF record found.")
    all_issues['SPF'] = spf_issues

    # Check DKIM record
    dkim_issues = []
    try:
        dkim_record = dns.resolver.resolve(f"selector1._domainkey.{domain}", 'TXT')
        dkim_text = dkim_record[0].to_text()
        dkim_issues = check_dkim_misconfigurations(dkim_text)
    except dns.resolver.NoAnswer:
        dkim_issues.append("No DKIM record found.")
    all_issues['DKIM'] = dkim_issues

    # Check DMARC record
    dmarc_issues = []
    try:
        dmarc_record = dns.resolver.resolve(f"_dmarc.{domain}", 'TXT')
        dmarc_text = dmarc_record[0].to_text()
        dmarc_issues = check_dmarc_misconfigurations(dmarc_text)
    except dns.resolver.NoAnswer:
        dmarc_issues.append("No DMARC record found.")
    all_issues['DMARC'] = dmarc_issues

    return all_issues

domain = "example.com"
issues = check_email_security(domain)
for key, value in issues.items():
    if value:
        print(f"Potential {key} issues for {domain}:")
        for issue in value:
            print(f"- {issue}")

Explanation

• SPF Checks: 'all' should not be configured to allow all hosts (+all). This is a common misconfiguration that basically nullifies the purpose of having an SPF record.

• DKIM Checks: The key algorithm (k=) should be RSA. If it's not, that's a potential problem as RSA is the recommended signing algorithm.

• DMARC Checks: A common misconfiguration is having the policy (p=) set to 'none', which means that the DMARC policy will not take any action against emails that fail the DMARC checks.

This should give you a starting point to build a more comprehensive tool.

[TheTechromancer]

This is now possible thanks to #1532.

[colin-stubbs]

I've got modules mostly ready for these, I'll submit new issues/PR's soon.

DMARC = ready
SPF = in progress, migrating to RAW_DNS_RECORD consumption
DKIM = starting, requires brute forcing commonly used selector names.

[TheTechromancer]

Hell yeah!

[joostgrunwald]

Hey, one thing I would like to add. I would not run these tests on all DNS records, but only on domains that we can see are being used to send mail from, for example by checking if we have email objects with these domains. DMARC on domains which are not mailed from does not really matter, but on mailable domains its a vulnerability (not even a finding)

[colin-stubbs]

@joostgrunwald that's precisely what I've got in progress, my DMARC module will emit VULNERABILITY events for non-RFC compliant/invalid polices, e.g. due to typeo etc, as well as policies that are p=none.

I can probably add a config option that would, if explicitly configured to do so, emit VULNERABILITY for p=quarantine as well.

Can you get more specific about what kind of situations beyond those that you would like to see VULNERABILITY events for? e.g. non-strict alignment etc?

Similar thing with DKIM... the module is almost ready for a PR. I've got the module emitting vulns for invalid records, non-RSA keys, invalid RSA pub keys (non-decodable to a usable key), as well as RSA key sizes less than 1024 bits. Anything else that you would want to see?

Similar with SPF too... though that module's proving a little more difficult. Again, what would you want to see from analysis of SPF records?

[joostgrunwald]

Good work, I was just enriching some open source code with proper vulnerability classes this morning, hope you have some value from it, its focused on SPF and DMARC tho.

            spf_results = checkdmarc.get_spf_record(domain)

            spf_value = spf_results["parsed"]["all"]

            if spf_value != 'fail':
                spoofing_possible_spf = True
                if spf_value == "softfail":
                    print_warning(
                        "SPF record configured to 'softfail' for '%s'" % domain)
                    
                    # add vulnerability (tuple of title, description severity)
                    vulnerabilities.append(("SPF record configured to 'softfail'", "SPF record configured to 'softfail' for '%s'" % domain, "low"))
                    
                else:
                    print_warning(
                        "SPF record missing failure behavior value for '%s'" % domain)
                    
                    # add vulnerability (tuple of title, description severity)
                    vulnerabilities.append(("SPF record missing failure behavior value", "SPF record missing failure behavior value for '%s'" % domain, "low"))
                    
        except checkdmarc.DNSException:
            print_error(
                "A general DNS error has occured when performing SPF analysis")
        except checkdmarc.SPFIncludeLoop:
            print_warning(
                "SPF record contains an 'include' loop for '%s'" % domain)
            
            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("SPF record contains an 'include' loop", "SPF record contains an 'include' loop for '%s' this means that the SPF record contains a reference to a domain that includes the original domain, creating a loop. Such a loop can cause the SPF record to be ignored.", "high"))
        except checkdmarc.SPFRecordNotFound:
            print_warning("SPF record is missing for '%s'" % domain)

            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("SPF record is missing", "SPF record is missing for '%s', this means the domain can be spoofed and is a critical risk" % domain, "critical"))
            spoofing_possible_spf = True

        except checkdmarc.SPFRedirectLoop:
            print_warning(
                "SPF record contains a 'redirect' loop for '%s'" % domain)
            
            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("SPF record contains a 'redirect' loop", "SPF record contains a 'redirect' loop for '%s' this means that the SPF record contains a reference to a domain that includes the original domain, creating a loop. Such a loop can cause the SPF record to be ignored.", "high"))

        except checkdmarc.SPFSyntaxError:
            print_warning(
                "SPF record contains a syntax error for '%s'" % domain)
            spoofing_possible_spf = True

            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("SPF record contains a syntax error", "SPF record contains a syntax error for '%s' this means the SPF record will not be parsed and therefore is not used and spoofing is possible" % domain, "critical"))
        except checkdmarc.SPFTooManyDNSLookups:
            print_warning(
                "SPF record requires too many DNS lookups for '%s'" % domain)
            
            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("SPF record requires too many DNS lookups", "SPF record requires too many DNS lookups for '%s' this means that the SPF record contains too many DNS lookups, which can cause the SPF record to be ignored.", "high"))

        except checkdmarc.MultipleSPFRTXTRecords:
            print_warning(
                "Multiple SPF records were found for '%s'" % domain)
            spoofing_possible_spf = True

            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("Multiple SPF records were found", "Multiple SPF records were found for '%s' this means that the domain has multiple SPF records, which can cause the SPF record to be ignored.", "critical"))
        try:
            dmarc_data = checkdmarc.get_dmarc_record(domain)
        except checkdmarc.DNSException:
            print_error(
                "A general DNS error has occured when performing DMARC analysis")
        except checkdmarc.DMARCRecordInWrongLocation:
            print_warning(
                "DMARC record is located in the wrong domain for '%s'" % domain)

            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("DMARC record is located in the wrong domain", "DMARC record is located in the wrong domain for '%s' this means that the DMARC record is not in the correct domain, which can cause the DMARC record to be ignored.", "medium"))
        
        except checkdmarc.DMARCRecordNotFound:
            print_warning(
                "DMARC record is missing for '%s'" % domain)
            spoofing_possible_dmarc = True```

            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("DMARC record is missing", "DMARC record is missing for '%s' this means the domain can be spoofed and is a medium risk" % domain, "medium"))
        except checkdmarc.DMARCReportEmailAddressMissingMXRecords:
            print_warning(
                "DMARC record's report URI contains a domain with invalid MX records for '%s'" % domain)
            
            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("DMARC record's report URI contains a domain with invalid MX records", "DMARC record's report URI contains a domain with invalid MX records for '%s' this means that the DMARC record's report URI contains a domain with invalid MX records, which can cause the DMARC record to be ignored.", "medium"))

        except checkdmarc.DMARCSyntaxError:
            print_warning(
                "DMARC record contains a syntax error for '%s'" % domain)
            
            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("DMARC record contains a syntax error", "DMARC record contains a syntax error for '%s' this means the DMARC record will not be parsed and therefore is not used and spoofing is possible" % domain, "medium"))

            spoofing_possible_dmarc = True
        except checkdmarc.InvalidDMARCReportURI:
            print_warning(
                "DMARC record references an invalid report URI for '%s'" % domain)
            
            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("DMARC record references an invalid report URI", "DMARC record references an invalid report URI for '%s' this means the DMARC record references an invalid report URI, which can cause the DMARC record to be ignored.", "medium"))

        except checkdmarc.InvalidDMARCTag:
            print_warning(
                "DMARC record contains an invalid tag for '%s'" % domain)
            
            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("DMARC record contains an invalid tag", "DMARC record contains an invalid tag for '%s' this means the DMARC record contains an invalid tag, which can cause the DMARC record to be ignored.", "medium"))

        except checkdmarc.MultipleDMARCRecords:
            print_warning(
                "Multiple DMARC records were found for '%s'" % domain)
            
            # add vulnerability (tuple of title, description severity)
            vulnerabilities.append(("Multiple DMARC records were found", "Multiple DMARC records were found for '%s' this means that the domain has multiple DMARC records, which can cause the DMARC record to be ignored.", "medium"))

            spoofing_possible_dmarc = True

[liquidsec]

I think work on this going to be picked up over at baddns

[colin-stubbs]

Yeap, definitely for the best.